Face Unlock on Many Android Phones Can Be Fooled by a Photo

Face unlock is meant to make getting into your phone quick and easy. But new testing suggests that on many Android devices, it may not be secure enough to protect your personal information. In a large set of phone tests, many models were unlocked using nothing more than a printed 2D photo of the owner.

The findings come from Which?, a British consumer rights brand, which tested 208 smartphones between October 2022 and today. It found that 133 of them, or 64%, could be bypassed this way. The problem was especially widespread in 2024, when 72% of the phones tested failed the photo-spoof check, although the failure rate improved slightly in 2025.

Affected brands include Asus, Fairphone, Honor, HMD, Motorola, Nokia, Nothing, OnePlus, Oppo, Realme, Samsung, Vivo and Xiaomi. The weakness is most common in budget and mid-range handsets, but it is not limited to cheaper phones. Some high-end models, including phones in Samsung’s Galaxy S25 range, were also caught out.

Why this matters

For most people, the biggest risk is not mobile payments. Low-security face unlock systems generally cannot be used to approve banking actions or access services such as digital wallets that require stronger authentication. The bigger issue is that they may still open the phone itself, exposing messages, emails, photos and other personal data.

That access can create further problems. If someone gets into your email account on your phone, they may be able to start password reset requests for other services. They may also be able to read private conversations, view sensitive images, or learn more about you from shopping history and saved account details.

The weakness comes from the type of facial recognition many Android phones use. Standard 2D systems rely on a front camera image and often cannot reliably tell the difference between a real face and a flat photo. More advanced 3D systems map depth, making them much harder to trick.

Apple iPhones remain among the better protected devices because they use 3D facial recognition. Some Android phones also performed better. Recent Google Pixel phones, including the Pixel 8, 9 and 10, passed these tests, and the newer Samsung Galaxy S26 series also did better than earlier Samsung flagships.

What phone owners should do

Consumer advice is simple: do not rely on basic face unlock if your phone uses a weaker 2D system. A fingerprint sensor or a PIN is a safer choice for unlocking your device. A longer PIN or password offers stronger protection, especially if your phone contains work emails, private photos or access to important accounts.

It is also worth adding extra protection to sensitive apps. Many Android phones let users require a fingerprint or PIN for apps such as WhatsApp, email and photo galleries. Setting a SIM PIN can also help prevent thieves from moving your number to another phone and intercepting text-based security codes.

The results also raise questions about how clearly brands warn users. Which? said some manufacturers do a better job than others of explaining the limits of face unlock during setup. Its concern is that convenience features are still being offered in ways that may leave users with a false sense of security.

For consumers, the message is straightforward. Face unlock may be fast, but on many Android phones it is still not secure enough to be trusted on its own. If you want stronger protection for your personal data, fingerprint login or a PIN remains the safer option.