Native smartphone face biometrics can be spoofed; UK consumer groups freaks out
Smartphone face biometrics from many leading brands are vulnerable to spoof attacks with 2D photographs, according to a new report from UK-based consumer testing and review group Which?, according to Yahoo Finance UK.
The group says the vulnerability is “unacceptable,” and has “worrying implications” for user’s security.
On-device biometrics are used for device unlocking and local authentication, while KYC processes for customer onboarding and strong remote identity verification is typically carried out with server-side biometrics and other signals, with a layer of liveness or presentation attack detection.
The phones tested include Honor, Motorola, Nokia, Oppo, Samsung, Vivo and Xiaomi handsets. Apple’s 3D FaceID biometrics were not fooled by the photos. The devices tested range in price from £89.99 to nearly £1,000 (approximately US$112 to $1,244), but the majority of phones that failed the test are lower-cost or mid-range models.
Out of 48 new smartphone models tested, 60 percent were not vulnerable to spoofing with a photograph.
Google says that Class 3 biometric unlock is required for contactless payments above £45 ($56), which means the vulnerable models should not support those payments through facial unlock.
“We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead,” says Which? Tech Editor Lisa Barber. “This needs to be a wake up call for manufacturers – they need to step up and improve the security of their biometric systems against spoofing.”
Data from roughly one-third of Americans is hacked each year, mostly due to insecure usernames and passwords and low digital literacy, according to career consultancy Zippia.