The Pixel 4's face unlock doesn't look for the user's eyes so that the phone could be pointed at a sleeping or unconscious owner and unlocked without their consent.
Google said in a statement that a fix requiring a user's eyes to be looking at the device "would be delivered in a software update in the coming months".
The Pixel 4 was announced last week, and instead of including a fingerprint reader as most Android phones do, the Pixel 4 features Google's newly developed face-unlock system as the only biometric option.
In principle it is not a bad system – IR dot projector blasts a grid of invisible dots onto the user's face, and a camera (a pair of cameras, in the case of the Pixel 4) reads the user's face in 3D. What is worrying is that Google was aware of the problem when Pixel 4 shipped. Screenshots of pre-release builds of the Pixel 4's software showed an option to "require eyes to be open".
Ars Technica published a full statement from Google:
"We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months. In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a pin, pattern or password for the next unlock. Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against invalid unlock attempts via other means, like with masks."