Some of the android tablet now uses face unlock, so I was wondering if BitWarden will support this and also how you would evaulate how secure this option is. Unlike Apple’s implementation, some Android face unlock can be tricked using a photo.
Urrgh. this was a big rabbit hole. A bit of background then. In the IOS world, face unlock is common because at some point in time Apple removed fingerprint reader and replace them with face readers. The Apple face readers were actually quite well designed and uses a 3D profile so that you can’t fool it using a picture. Many password manager uses face unlock to authenticate on IOS.
In the android world, it’s still mostly fingerprint. Around the release of Android 10, google updated the framework to abstract the biometric authentication. Now instead of calling an api to authenticate via fingerprint, they call the api for biometric authentication where the device can plug in fingerprint or face or whatever. However, just because the framework is there does not mean there are real devices. Currently, the only valid face unlock device supported is Pixel 4 and probably the 4XL. Not even the Pixel 5 or 6 is supported for strong biometric unlock.
But wait, a lot of Samsung devices also support Face Unlock. However, these are lesser devices that may use 2D camera, meaning that they can be fool by a picture. A few years ago, there was even a lot of articles that demonstrated that you can use a picture to bypass Samsung face unlock. Samsung made some improvement to fix the issue. My guess is that they improve the algorithm to not authenticate on a static picture. The camera is still not 3d and so not as secure. It literally say that the method is not secure when you enable the feature.
What does this mean? Well if you are using Android, don’t expect to use face unlock to unlock Bitwarden or android apps unless you happen to be using a Pixel 4 or 4 XL (this appears to be supported by Bitwarden). Non-Pixel 4 or 4XL unlock will only work on unlocking your device.