Many smartphones don’t detect face biometrics spoofs or properly warn consumers

Biometric liveness detection remains a significant “flaw” and a “vulnerability” of most Android smartphones with facial unlocking. Most are still prone to simplistic and low-cost spoofs available to inexpert attackers, according to an analysis by Which?.

The publication notes that iPhones are generally immune to spoofs with printed 2D photos, due to the depth-sensing capability of Face ID. Some newer Google Pixel devices were also not fooled by flat images in Which? testing.

The convenience factor of native device face biometrics is identified as such sometimes, and Which? acknowledges that “some manufacturers have made strides in providing clearer warnings during setup.”

Yet many Android smartphones do not, it says, including models from OnePlus and Motorola. OnePlus did just release a new phone with in-display 3D ultrasonic fingerprint biometrics from Qualcomm.

Which? labs has tested 208 phones since October of 2022, and found 2D printed photos were good enough spoofs to fool the face biometric unlock systems of 133 devices, or 64 percent of them.

Testing during 2025 revealed a 13 percent improvement, year-over-year, after a brutal 2024 in which the share of spoof-prone devices rose dramatically.

Samsung’s Galaxy S26 has adequate biometric presentation attack detection (PAD), Which? says, but previous models including the Galaxy S25 do not. At least the manufacturer properly warns consumers that its facial recognition is a convenience feature, rather than a high-security one.

While banking apps and digital wallets no longer accept 2D Android face biometrics as a secure authentication factor, Which? warns that users relying on face biometrics to unlock their phone risk a phone thief with their photo reading their text messages, sending emails from their account, which could allow them to reset passwords for other services, access photos and other sensitive documents and view additional information like wallet history and partial payment card information.

The publication advises all smartphone users to unlock their phones with a PIN or fingerprint biometrics. A complex PIN or password provides the “highest” security level, it says. Patterns provide the lowest, Which? says, because they are easily shoulder-surfed. Shoulder surfing is not mentioned in the password guidance.

Which? will also avoid giving “Best Buy” or “Great Value” recommendations to phones that do not adequately inform users about the limits of their face biometrics capabilities.

As for those apps that do recognize a difference between on-device convenience authentication factors and higher-security biometrics, hopefully they have strong injection attack detection (IAD).

Article Topics

biometric authentication  |  biometric liveness detection  |  biometrics  |  face biometrics  |  smartphones