2D Photos Easily Dupe Face Recognition On These Top Android Phones

samsung face unlock hero
In a recent survey of modern smartphones, it was found that a large proportion of them offered face recognition technology (FRT) which was alarmingly weak. Devices from most major Android vendors like Honor, Motorola, Nokia, Oppo, Samsung, Vivo and Xiaomi used FRT which could be fooled by a simple printed photo of the actual user, found the research. Moreover, a usable photo in the hands of a spoofer didn’t have to be of a very high quality or be printed on particularly good paper or printer to work.

With people ever more reliant on their smartphones for financial services and transactions, the secure login and identity verification functionality of these devices is ever more important. This writer has various banking applications, which allow passwordless access via biometric verification, but some will have many more FinTech apps in daily use - like digital wallets, share trading, or crypto/NFT platforms. Having strangers or thieves poking around these apps and being able to check through various other personal documents, communications and data is highly undesirable. However, if your phone has weak security, then all this sensitive information and even your savings might be easy for a malicious actor to grab.

Nokia FRT fail
Nokia G60 5G failed the Which? FRT test

Let us look at the list of phones consumer magazine Which? found to offer very little security via their FRT implementations. From the 48 modern devices tested by the periodical, the following 19 (40%) were duped by a simple 2D printed photo:
  • Honor 70
  • Motorola Razr 2022, Motorola Moto E13, Motorola Moto G13, Motorola Moto G23
  • Nokia G60 5G, Nokia X30 5G
  • Oppo A57, Oppo A57s
  • Samsung Galaxy A23 5G, Samsung Galaxy M53 5G
  • Vivo Y76 5G
  • Xiaomi POCO M5, Xiaomi POCO M5s, Xiaomi POCO X5 Pro, Xiaomi 12T, Xiaomi 12T Pro, Xiaomi 12 Lite, Xiaomi 13
Further investigations indicated that these devices largely used FRT which was categorized as ‘Class 1 Biometric’. Apparently, Android doesn’t let devices using this class of FRT use their biometrics for third-party app sign-ins, or to confirm important account actions. This is some saving grace, but the source points out that a lot of other sensitive data would be open for pilfering by someone who had spoofed general access to your smartphone.

Which? Tech Editor, Lisa Barber, was quite perturbed by the research findings. “It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability,” she said. “Our findings have really worrying implications for people’s security and susceptibility to scams.” Meanwhile, Which? has removed any affected phones off its best buy and value recommendations lists.

moto expensive FRT failure
The expensive Moto Razr 2022 failed the Which? FRT test

If your device’s FRT is in the weak list above, or you otherwise know it to be insecure, it is probably best to ignore it as a security feature and completely turn it off, erasing any registered facial data. In this case you might alternatively use the fingerprint sensor (if present) for biometrics, or a 6-digit PIN, for a more adequate level of security.

The source publication laments the fact that so many Android phones fall flat to simple 2D spoofing. For perspective, it must be pointed out to any current or potential iOS device user, that Apple’s FRT implementation dubbed ‘Face ID’ is a robust standard which even offers 3D anti-spoofing, and can’t be bypassed by photos, videos, or even sophisticated 3D head models of the user. This is why some banking apps restrict FRT identity verification to Apple users, explains Which?