James: Think your phone is secure because you’re using face unlock to log in? Think again.
Hello and welcome to Which? Shorts - your free weekly insight into Which? magazine, as well as our Money, Tech, Travel and Gardening titles too.
Today I’m bringing you a piece that our smartphone expert Adam Speight wrote for the June/July issue of Which? Tech, all about facial recognition.
Over the last few years, our extensive lab tests have found that phones from major brands, including Motorola, OnePlus and Samsung, have a flaw that could be exploited to unlock the screen and steal personal information.
Here, we explain what you need to know to ensure your phone is kept secure.
Here’s Adam’s piece, adapted for the podcast, this week read by me, James Rowe.
Unless you're using an iPhone, a recent Google Pixel, or one of a few ‘Pro’ Android models, using face unlock to open your phone could be risking your personal data.
Our testing at the Which? labs has revealed a persistent and troubling trend. Many new smartphones from major brands can still be bypassed using nothing more than a photo of the owner. While some manufacturers have made strides in providing clearer warnings during setup, the underlying security flaw remains a ‘back door’ for criminals to access your messages, emails and sensitive apps.
And the numbers are sobering.
Since October 2022, we've put 208 phones through their paces, and in a staggering 64% of cases – that’s 133 devices – the face unlock biometrics were able to be easily fooled in our labs by a 2D printed photo.
If you’re hopeful that the situation may have improved significantly over the years, think again; the problem actually peaked in 2024. That year, the proportion of ‘foolable’ phones jumped by 35% compared to 2023. To put that in perspective, while 53% of phones failed our checks in 2023, that figure surged to 72% just a year later.
We saw a slight 13% year-on-year improvement in 2025 – nudging the failure rate down to 63% – but the reality is that most new phones arriving on shop shelves still aren't up to scratch.
So which phones are more secure for facial recognition?
Well, most Android phones rely on a standard 2D facial recognition system. This essentially uses the camera to take a flat picture of you. Because it lacks depth, it often cannot distinguish between a living, breathing human and a photo or someone who looks like you.
But our latest lab tests show that some manufacturers are making tangible progress. The new Samsung Galaxy S26 series successfully passed our latest round of spoofing tests. This represents a significant step forward from previous flagships, such as the Galaxy S25 range, which were bypassed in our labs - although they did provide users with adequate warnings.
Apple’s Face ID is also much harder to trick. These use complex 3D mapping that projects thousands of invisible dots to create a depth map of your face.
It's worth noting that Google’s recent flagship phones - the Pixel 8, 9, and 10 - represent somewhat of an exception, too. They use a 2D system that is significantly more secure. Google uses advanced machine learning to ensure these phones meet the highest security standards, making them safe enough for banking and payments.
However, for some other Android brands, the 2D systems on their cheaper and mid-range handsets – along with some flagships – are still failing our photo-spoof tests.
We believe that security shouldn't be a luxury reserved for those who can afford a £1,000 phone.
In some cases, this vulnerability is acknowledged as an issue, and you are warned when you first set up your phone. Unfortunately, some brands are failing even to do this.
This lack of transparency isn't a universal flaw – it depends heavily on the logo on the back of your phone. While we’ve seen more adequate security warnings since 2023, there hasn't been an industry-wide step-change. A few manufacturers have upped up their game; Xiaomi, for example, made sure to flag the 2D photo security risks on 26 separate vulnerable handsets we tested between 2023 and 2025. Samsung has also provided upfront warnings on nine of its devices over the past three years.
But at the other end of the scale, there's a lack of transparency. Motorola and OnePlus are the biggest offenders here – between them, they have released 27 phone models since October 2022 that were easily bypassed in our labs but do not, in our view, offer an adequate warning to the person holding the device.
We have approached the manufacturers of the affected phones to demand better standards and clearer transparency. Some have responded by pointing to their fingerprint sensors as the ‘primary’ security method, but we believe that if a feature is offered, it should be fit for purpose.
You might be wondering what the risk is, especially since most UK banking apps and Google Wallet are smart enough to recognise low-security 2D systems.
Well a thief could still unlock your phone with a photo, possibly giving them access to your private Whatsapps, send emails to reset your passwords, and access your photos to expose sensitive photos.
But you can strengthen your phone’s security by switching to a fingerprint or a pin to unlock it, rather than relying on the face unlock feature.
You can also set up a Sim Pin - it prevents a thief from taking your Sim card and putting it in another phone to intercept your bank’s security codes sent via text.
And why not use ‘App Lock’ features? This allows you to require a fingerprint specifically for sensitive apps like WhatsApp, your email or your photo gallery.
We got in touch with the manufacturers we’ve mentioned.
Motorola describes consumer safety as a top priority, but admits its face unlock technology is built primarily for convenient unlocking of the phone. It recommends that owners stick with a Pin, password or pattern for better protection and says it reminds users of this when they first set up the phone. Motorola also highlighted a built-in safety net: even if you use face unlock, the phone’s software will still demand a manual code if the handset is restarted or has been left idle for more than four hours.
Meanwhile, OnePlus argues that it is already being transparent about these risks. It pointed to a mandatory ‘Statement on Using Face Recognition’ that every user must read before they can turn the feature on. This notice tells owners that the technology is less secure than a fingerprint or a numeric password. It also warns that, in rare cases, the camera could be tricked by an object or a person with a similar appearance to the owner.
