BTW you HAVE to say OK Google you can't just tap the mic icon.
Settings > Security > Smart Lock > Trusted Voice.
This ties in to the Always On "Ok Google" detection (Google app > Menu > Settings > Voice > "Ok Google detection).
That is where you train your phone to recognize
your voice. It then listens for
you to say "Ok Google" to automatically bypass the lockscreen.
You can read more about this feature
here.
During the setup of that feature, you get a popup warning that someone with a voice similar to yours (like your son) may be able to bypass the lockscreen as well.
Smart Lock is just another instance of balancing security versus convenience. Google created Smart Lock (and implemented native support for fingerprint-based authentication) in response to the worrying number of people who didn't secure their phones with a simple lockscreen passcode.
Smart Lock makes it easier for lazy people to have a bit of extra security without causing excess inconvenience when using their device.
All of the Smart Lock features warn that their use will not necessarily be as secure as simply requiring a PIN to be entered every time:
- On-Body detection could be bypassed if a thief swiped your phone from your pocket
- Trusted Places means that anyone also in your trusted place (home, office) would have full access to your phone
- Trusted Devices could be defeated by a thief taking both your phone and your paired Bluetooth device (smartwatch, headphones, etc)
- Trusted Face could be tricked by someone who looks like you
- and Trusted Voice, as you've discovered, could be bypassed by someone who sounds like you.
While convenience features like Smart Lock aren't going to be as secure as requiring a PIN or complex password each time you unlock your device, they're still much more secure than no lockscreen security at all. That's the demographic of users that Google was targeting.
