Face recognition on 40% of new phones easily spoofed with a printed photo

40% of smartphones tested at Which? labs since August 2022 have face recognition that can be spoofed with a 2D printed photo, allowing criminals to easily gain access to the phone.

Revealed as part of extensive security and privacy tests conducted at Which? labs, the vulnerability affected 19 out of 48 handsets from some of the biggest brands, including Samsung, Motorola and Nokia. 

Which? is advising all consumers who own affected phones to use alternative security, such as PIN or fingerprint recognition, to access these phones, and will not be giving Best Buy or Great Value recommendations to any phones impacted by this issue.

As well as rating performance, our mobile phone reviews include detailed security and privacy checks on handsets

Which phones have face recognition that can be spoofed?

Some face recognition systems are difficult to dupe and can be one of the most secure ways to lock your phone. However, face recognition systems across smartphones from different manufacturers do not use the same technology. This means some may be easier to bypass than others.

No biometric system is foolproof, but being able to fool a biometric login with something as simple and accessible as a 2D photograph clearly demonstrates an inadequate level of security. 

From August 2022, Which? lab tests confirmed that the face recognition systems on the following phones can be fooled with a printed 2D photograph of the phone's owner:

• Honor 70
• Motorola Razr 2022, Motorola Moto E13, Motorola Moto G13, Motorola Moto G23
• Nokia G60 5G, Nokia X30 5G
• Oppo A57, Oppo A57s
• Samsung Galaxy A23 5G, Samsung Galaxy M53 5G
• Vivo Y76 5G
• Xiaomi POCO M5, Xiaomi POCO M5s, Xiaomi POCO X5 Pro, Xiaomi 12T, Xiaomi 12T Pro, Xiaomi 12 Lite, Xiaomi 13

The majority of these phones have launched at the cheaper to mid-range end of the market, with prices from £89.99 for the Motorola Moto E13. However, consumers shouldn't have to compromise on security on their mobile phones if they've opted for a cheaper handset.

A few more expensive handsets were at fault too, including the Motorola Razr 2022 that had a launch price of £949.99.

Phone brands respond

We reached out to the phone brands identified in our investigation. Vivo said it tells customers during phone setup that face recognition may be unlocked by people or objects that look similar to the consumer, and that it prompts review and agreement to the noted Privacy Terms before setting up 2D facial recognition.

Samsung told us that it provides various levels of biometric authentication, with the highest level of authentication from the fingerprint reader. In addition, it provides users with multiple options to unlock their smartphones through both biometric security methods, and convenient options such as swipe or facial recognition. Further information about facial recognition can be found via the settings on Samsung Galaxy smartphones.

HMD Global, home of Nokia phones, said its affected phones have facial recognition software that does not have privileges in third party apps. It tells customers that the face unlock is less secure than using a fingerprint, pattern or password, and that the face recognition can be unlocked by someone or something with a similar appearance. It did not register any issues in its own testing with printed pictures.

Honor, Motorola, Oppo and Xiaomi did not respond to our request for comment.

See how long your device will be supported by important updates in our guide to mobile phone security

What’s the risk to my phone and my personal data?

Fortunately, many modern smartphones use fairly sophisticated biometrics that cannot easily be fooled by a photo, but for those impacted in our investigation, it's important to take steps to safeguard your device. 

If someone uses a photograph to fool the face recognition and unlock your phone, you're unlikely to be aware that the person has accessed your handset. For our convenience, a lot of apps on our phones keep us logged in when we close the app, so if the screen lock on your phone is bypassed, a hacker can potentially access a lot of sensitive information in logged-in apps and cause a lot of damage.

There are voluntary standards in place from the European Telecommunications Standards Institute for biometric unlock, that manufacturers can choose to follow. This states 2D facial recognition systems should not be duped more than 1 in 50,000 times. But with our test labs revealing how easy it is to spoof the face recognition systems on these phones with photographs, we suspect the face recognition systems on these phones may not match up to this standard. Google told us it was working with the industry on a certification program based on this standard. 

The phones that were fooled by a photograph in our tests run on Android's operating system. Manufacturers must ensure their devices and software meet Android's requirements in order to run on the software and be 'Android compatible'. This involves how often a device's security measures can be fooled to still be viewed as secure. Class 3 systems have the highest level of biometric security and must not accept spoofs more than 7% of the time, Class 1 systems are the least secure, with a spoof rate of 20% of the time or more.

Which? suspects the face recognition on affected phones from its research should be categorised as a Class 1 biometric (which is the least secure), as its lab tests revealed the face recognition systems can be fooled with 2D photographs easily and repeatedly, though only HMD Global for Nokia phones confirmed this was the classification for its affected handsets. Android does not permit phones in this category being used by third-party apps to sign in or to confirm important actions.

With varying standards being adopted, you might be wondering how apps that deal with sensitive and financial data are able to manage the risk, and keep customers safe. We reached out to banks that use banking apps with our findings.

Banking apps and biometric login

Fortunately, it appears as though the range of protections in place from banks should mitigate the risk posed by insecure facial recognition, though not all banks were as forthcoming with their security protocols. 

A number of banking apps only allow face recognition as a security measure on Apple iPhones. Apple's Face ID technology has not been fooled by a 2D printed photograph in our tests. This includes AIB (NI), Bank of Scotland, Cumberland Building Society, Danske Bank, First Direct, Halifax, HSBC, Lloyds Bank, Metro Bank, Triodos, TSB and Virgin Money.

We have found that face recognition is often not used in isolation on banking apps. Instead, banking apps usually employ additional requirements or a number of authentication measures for a customer's higher risk actions, such as transferring money to a new account.

This includes requiring Android devices to employ stronger Class 3 or Class 2 security (Nationwide), or only Class 3 (The Co-operative Bank). Natwest and Royal Bank of Scotland’s facial authentication methods go beyond the device's biometric system and include liveness checks to prevent photos being able to mimic customers. Santander and Starling require additional security details when facial recognition is switched on.

Chase only allows facial recognition on a limited number of Android devices, and Handelsbanken does not currently offer face recognition on its app.

Barclays chose not to share its specific security protocols for different handsets, and Monzo and Revolut did not provide a quote for publication.

For more on banking online, find out which banks have the best online and app security

Google Wallet and other mobile payment apps

With Google Wallet, you can upload your bank cards to pay for things using contactless payments systems from your phone. More and more phones are being released with 'near-field communication' required for this function. You can download Google Wallet on any Android phone and the app is currently reported to have over 150 million users worldwide.

Users in the UK can make contactless payments with Google Wallet up to £45 without needing to unlock the phone. Google told us that for higher value transactions, users must use a more secure Class 3 biometric unlock. This should mean that the models we were able to spoof aren’t able to complete transactions over £45 if you use the face recognition to unlock the phone. The trouble is, like so many unprotected apps on your phone, the Google Wallet app may contain other sensitive information useful to scammers. The credit/debit cards registered tell the scammer who you bank with, and may display the last 4 digits of their card numbers. The app may also contain information about recent transactions like where you shopped and how much you paid that might help them answer security questions. So if the phone’s screen is unlocked with a 2D photograph, this information could be at risk.

When you make any payment with Samsung Pay, you need to authenticate your identity by using your fingerprint scanner or PIN code. For Apple Pay, you must use face ID or PIN code.

Find out more about Goggle Wallet and Apple Pay, and whether they are safe to use

Which? recommends: turn off face recognition and lock your apps

On all of the affected handsets, face recognition is an optional security feature, so we recommend you turn it off and use the fingerprint sensor, or a password/ PIN instead. All phones we tested had another option for locking the screen.

• Long PINS are generally more secure (six characters), and if you can set up a password, use a mixture of different characters so it's harder to guess.
• We recommend setting up protections on your apps that contain sensitive information too - this could involve logging out when you're not using them, or setting up passwords or biometric locks.
• We also recommend you set up a second lock on your Google Wallet app. This can be a PIN, pattern, password, logged fingerprint or iris scan, depending on what your phone offers.
• If you prefer, you can turn off the NFC function on your phone when it is locked so you can't make contactless payments without unlocking your phone. You can do this in your phone's settings.

Which? calls for brands to improve security standards

Which? is calling on manufacturers to improve the security of their biometric systems against spoofing, and to acknowledge and properly inform consumers to be aware of this type of 2D photo spoofing on some types of facial recognition.

As a result of its investigation, any phones that offer face recognition as a security and privacy feature that can be fooled with a 2D photograph will not be eligible for Best Buy or Great Value recommendations.