Many Smartphones Don’t Detect Face Biometrics Spoofs or Properly Warn Consumers

The rapid adoption of facial recognition as a convenience unlock method has outpaced the development of robust liveness detection on many Android devices. Which?’s extensive lab, which examined 208 smartphones released since October 2022, revealed that two‑dimensional printed photos can bypass the face‑unlock sensors of 133 models, representing 64 percent of the sample. iPhone’s TrueDepth sensor and the latest Google Pixel handsets, which incorporate depth mapping, stood out as the few Android‑based exceptions. Samsung’s flagship Galaxy S26 finally integrated a dedicated presentation‑attack detection (PAD) module, but its predecessor, the S25, still fails the spoof test.

The security gap has practical consequences for both users and enterprises. A thief armed with a simple printed portrait can unlock a vulnerable phone, read private messages, and harvest one‑time passwords that enable password resets on banking or email accounts. Financial institutions and digital‑wallet providers have already begun rejecting Android face biometrics as a high‑assurance factor, forcing developers to rely on PINs, passwords, or fingerprint sensors. Regulators in the EU and U.S. are watching the trend, with consumer‑protection agencies urging clearer disclosure of biometric limitations.

Consumers should treat on‑device facial unlock as a convenience rather than a security control. Switching to a complex PIN, a long alphanumeric password, or an ultrasonic fingerprint sensor—such as the one introduced on the OnePlus 15 T—provides a markedly higher barrier against unauthorized access. Manufacturers that fail to display explicit warnings risk reputational damage and potential liability if data breaches are traced to inadequate biometric safeguards. Looking ahead, we can expect tighter integration of depth‑sensing hardware, AI‑driven liveness checks, and industry‑wide standards that differentiate convenience authentication from true multi‑factor security.