Why using face unlock on a phone could be risking your data
A certified smartphones, tablets and wearables whizz, Adam's been hands-on with tech for more than five years, sharing expert knowledge and buying advice.
Unless you're using an iPhone, a recent Google Pixel, or one of a few ‘Pro’ Android models, using face unlock to open your phone could be risking your personal data.
Our testing at the Which? labs has revealed a persistent and troubling trend. Many new smartphones from major brands can still be bypassed using nothing more than a photo of the owner. While some manufacturers have made strides in providing clearer warnings during setup, the underlying security flaw remains a ‘back door’ for criminals to access your messages, emails and sensitive apps.
We always highlight phones that fail this test in our mobile phone reviews.
Which phones have face recognition that can be fooled?
The numbers are sobering. Since October 2022, we've put 208 phones through their paces, and in a staggering 64% of cases – that’s 133 devices – the face unlock biometrics were able to be easily fooled in our labs by a 2D printed photo. If you’re hopeful that the situation may have improved significantly over the years, think again; the problem actually peaked in 2024. That year, the proportion of ‘foolable’ phones jumped by 35% compared to 2023. To put that in perspective, while 53% of phones failed our checks in 2023, that figure surged to 72% just a year later.
Phone brands we've tested since October 2022 that have foolable facial recognition:
Asus, Fairphone, Honor, HMD, Motorola, Nokia, Nothing, OnePlus, Oppo, Realme, Samsung, Vivo and Xiaomi
We've seen a slight 13% year-on-year improvement in 2025 – nudging the failure rate down to 63% – but the reality is that most new phones arriving on shop shelves still aren't up to scratch.
Which phones are more secure for facial recognition?
Most Android phones – particularly budget and mid-range models – rely on a standard 2D facial recognition system. This essentially uses the camera to take a flat picture of you. Because it lacks depth, it often cannot distinguish between a living, breathing human and a photo or someone who looks like you.
However, our latest lab tests show that some manufacturers are making tangible progress. The new Samsung Galaxy S26 series successfully passed our latest round of spoofing tests. This represents a significant step forward from previous flagships, such as the Galaxy S25 range, which were bypassed in our labs (although they did provide users with adequate warnings).
Apple’s Face ID (and 3D systems found on ‘Pro’ models from brands like Honor) is also much harder to trick. These use complex 3D mapping that projects thousands of invisible dots to create a depth map of your face.
It's worth noting that Google’s recent flagship phones (the Pixel 8, 9, and 10) represent somewhat of an exception, too. They use a 2D system that is significantly more secure. Google uses advanced machine learning to ensure these phones meet the highest security standards (known as Class 3), making them safe enough for banking and payments. However, for some other Android brands, the 2D systems on their cheaper and mid-range handsets – along with some flagships – are still failing our photo-spoof tests.
Read our previous investigation into foolable face unlock on phones for more background on this issue.
The smartphone brands putting customers at risk
We believe that security shouldn't be a luxury reserved for those who can afford a £1,000 phone. In some cases, this vulnerability is acknowledged as an issue, and you are warned when you first set up your phone. Unfortunately, some brands are failing even to do this.
This lack of transparency isn't a universal flaw – it depends heavily on the logo on the back of your phone. While we’ve seen more adequate security warnings since 2023, there hasn't been an industry-wide step-change. A few manufacturers have upped up their game; Xiaomi, for example, made sure to flag the 2D photo security risks on 26 separate vulnerable handsets we tested between 2023 and 2025. Samsung has also provided upfront warnings on nine of its devices over the past three years.
What Which? defines as an ‘adequate’ warning
We define an adequate warning as a clear, prominent notification during the setup process that explicitly cautions the user that their phone could be bypassed by a 2D photo or by someone who looks like them. This information must be presented directly during the main setup, rather than being buried in a separate ‘terms and conditions’ document or hidden behind a ‘learn more’ link.
Which? is advising all consumers who own affected phones to use alternative security, such as a Pin or fingerprint recognition, to access these phones, and will not be giving Best Buy or Great Value recommendations to any phones that don't sufficiently warn about this issue.
But at the other end of the scale, there's a lack of transparency. Motorola and OnePlus are the biggest offenders here – between them, they have released 27 phone models since October 2022 that were easily bypassed in our labs but do not, in our view, offer an adequate warning to the person holding the device.
Even the newer brands on the market are falling into the same trap. Nothing, for instance, failed to give its customers adequate warning on all of the five devices we've put through our test lab since 2024. Of course, these figures reflect the specific models we picked for our lab tests. While we can’t speak for every single handset made in the last few years, the data paints a clear picture of which brands take your privacy seriously – and which ones are leaving the door unlocked.
We have approached the manufacturers of the affected phones to demand better standards and clearer transparency. Some have responded by pointing to their fingerprint sensors as the ‘primary’ security method, but we believe that if a feature is offered, it should be fit for purpose.
These are the phones that can be fooled by a photo but have become ineligible for a Best Buy or Great Value recommendation, as they don't provide an adequate warning that this is the case:
- Fairphone 6
- Honor Magic6 Lite 5G
- Motorola Moto G75 5G, Motorola Edge 60 Pro, Motorola Edge 60 fusion, Motorola Moto G56 5G, Motorola G86, Motorola Edge 40 Neo, Motorola Moto g35, Motorola Moto g55, Motorola Razr 50 Ultra, Motorola Edge 50 Ultra, Motorola Edge 50 Pro, Motorola Moto G73
- Nothing Phone (2a) Plus, Nothing Phone (3a), Nothing Phone (3a) Pro, Nothing Phone (3), Nothing Phone (2a)
- OnePlus 13R, OnePlus 13, OnePlus Nord 5, OnePlus Nord CE5, OnePlus 15, OnePlus Nord 3 5G
- Oppo Reno 13 F, Oppo Reno 13 Pro, Oppo Find X9 Pro, Oppo Find X9, Oppo Reno 11 F 5G
List correct as of March 2026.
For more on mobile phone security, check how long your phone will receive security updates.
What’s the risk of using face unlock for a phone?
You might feel safe because your banking app requires a separate login, and there are indeed safeguards in place. For example, most UK banking apps and Google Wallet are smart enough to recognise low-security 2D systems and will force you to use a fingerprint or Pin instead.
However, there’s still a risk to your privacy. If a thief can unlock your homescreen with a photo, they could:
- Read your private WhatsApp and text messages, which often contain sensitive personal information.
- Send emails from your account – a common tactic used to reset passwords for your other online services.
- Access your photo gallery, exposing your family photos and potentially images of sensitive documents.
- View your Google Wallet history, revealing where you shop and the last four digits of your bank cards.
For more mobile phone tips, take a look at the things our smartphone expert would never do.
How to secure your smartphone
You can make your phone more secure without making it awkward to use - here are some simple steps to beef up your security:
- Switch to fingerprint or Pin unlock: If you own a phone with 2D face unlock that isn't a recent Pixel phone, turn off face unlock in the settings and use the fingerprint scanner or a 6-digit Pin.
- Set a Sim Pin: It prevents a thief from taking your Sim card and putting it in another phone to intercept your bank’s security codes sent via text.
- Force extra protection: Use 'App Lock' features (available on many Android phones) to require a fingerprint specifically for sensitive apps like WhatsApp, your email or your photo gallery.
Here's how the most common unlocking methods stack up from most to least secure:
| Security level | Method | Why? |
| Highest | Long Pin / Complex password | The hardest for a stranger to guess or spoof digitally |
| High | Fingerprint sensor | Particularly secure, as it requires your physical presence |
| High | 3D Face ID or Secure 2D (Pixel 8+) | Uses depth mapping or advanced AI to prevent simple photo spoofing |
| Low | Standard 2D face recognition | Convenient but, as our tests show, can be easily fooled by a photo |
| Lowest | Pattern unlock / swipe | Avoid these, as they're easily 'shoulder-surfed' by someone watching you |
For more detailed advice on keeping your digital life private, you can read our full guide to protecting your phone.
Phone brands respond
We presented our findings to the manufacturers involved. Here is how they addressed the security concerns:
Fairphone told us that security and privacy are core to its design, but it noted that its devices use 2D facial recognition, categorised as a Class 1 biometric (Class 1 is an industry-standard ‘convenience’ tier. While it is secure enough for unlocking a homescreen, it doesn't meet the much tougher security thresholds Google sets for higher-stakes actions like banking or making payments.) Fairphone pointed out that, because of this, the Android system itself automatically blocks the feature from being used for financial apps. The company is reviewing its current phrasing to see if its existing warnings can be made even more comprehensive.
Honor explained that 2D systems have technical limits that can make them susceptible to being tricked by photos, videos or silicone masks. Because of this, it views the feature as a tool for convenience rather than for authorising sensitive transactions. Users are informed during setup that the system is less secure than a password. For anyone needing top-tier security for things like banking, Honor suggests its flagship ‘Pro’ models, which have 3D facial recognition built for those use cases.
Motorola describes consumer safety as a top priority, but admits its face unlock technology is built primarily for convenient unlocking of the phone. It recommends that owners stick with a Pin, password or pattern for better protection and says it reminds users of this when they first set up the phone. Motorola also highlighted a built-in safety net: even if you use face unlock, the phone’s software will still demand a manual code if the handset is restarted or has been left idle for more than four hours.
OnePlus argues that it is already being transparent about these risks. It pointed to a mandatory ‘Statement on Using Face Recognition’ that every user must read before they can turn the feature on. This notice tells owners that the technology is less secure than a fingerprint or a numeric password. It also warns that, in rare cases, the camera could be tricked by an object or a person with a similar appearance to the owner.
Neither Nothing nor Oppo provided a comment for publication.
