Facial recognition might seem like one of the safest ways to keep your phone secure, but experts say your device might be easy prey for hackers.
Which? research has revealed that 60 per cent of popular mobile phones can be easily fooled with printed photos.
This includes devices from several big brands including Motorola, Nokia, Nothing, OnePlus, and Fairphone.
Even top–of–the–range flagship models, such as the £1,099 Oppo Find X9 Pro, mistook pieces of paper for real human faces.
Which? warns that thieves could use this weakness to read your emails, reset passwords for sensitive accounts, access your pictures, and even view your Google Wallet history.
Lisa Barber, Which? Tech Editor, says: ‘In this age of cutting–edge technology it almost seems unbelievable that phone cameras could be fooled by a printed photo – and yet they can be.
‘The majority of Android phones we’ve tested in the last four years can be easily unlocked using a 2D image, and some manufacturers are still failing to adequately warn their users that this is the case.
‘We’d urge affected users to set up alternative methods of security, like a fingerprint or a PIN, which are much more secure.’
Which? has tested 208 phone models released since October 2022, 133 of which could be fooled by a simple photo.
And this problem isn’t necessarily improving as phone technology gets better each year.
In 2024, a staggering 72 per cent of phones tested failed to detect a printout spoof – up by a fifth from the year before when 53 per cent failed.
In 2025, the figure fell slightly to a failure rate of 63 per cent, although still means the majority of devices could be fooled.
Many devices can be tricked because the rely on 2D facial recognition systems, which only look at a flat photo of the user’s face.
Since these images lack depth, they can’t tell the difference between a flat print–out of a person and their real face.
By contrast, the newest Google Pixel 8, Pixel 9, Pixel 10, and Samsung’s Galaxy S26 all passed the test with flying colours.
Likewise, Apple’s Face ID and some ‘Pro’ Android devices, from brands such as Honour, also proved much harder to trick.
This is because these devices use complex 3D mapping systems that project thousands of invisible dots onto the user’s face to detect depth.
This ensures that the device can’t be hijacked with something as trivial as a photograph of its owner.
Given that so many devices fail to offer serious protection from impersonators, Which? is concerned that brands are failing to warn users about the risks.
Which? defines an adequate warning as a clear, prominent notification during the setup process that explicitly cautions the user that their phone could be bypassed by a 2D photo or by someone who looks like them.
Importantly, this information should be clearly presented during the security setup rather than being buried in a separate ‘terms and conditions’ document.
Which? maintains that it cannot endorse any phone that failed the spoofing test and did not provide adequate warning, regardless of how it performs in other areas.
Some devices do feature on–screen messages during setup that caution the user not to rely on facial recognition for security, but the majority do not.
For example, Motorola and One Plus have collectively released 27 phones since October 2022, which were easily fooled by a printed photograph.
But none of these devices gives what Which? determines to be an adequate warning to the owner.
Likewise, Nothing failed to give a sufficient warning to users of its five easily–duped devices launched since 2022.
In response, a Motorola spokesperson says: ‘The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends that consumers use a PIN, password or pattern for enhanced security.
‘Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN or password to secure their device.’
OnePlus pointed to its mandatory ‘Statement on Using Face Recognition’ which every user must read before they can turn the feature on, while Nothing did not respond to a request for comment.
However, Which? does note that a few brands have made significant improvements.
Xiaomi, for example, flagged the 2D photo security risks on 26 separate vulnerable handsets Which? tested, while Samsung has upfront warnings on nine of its devices.
A Samsung spokesperson told the Daily Mail: ‘Galaxy phones clearly specify the various levels of security of their lock types, with the highest level of security offered by the fingerprint reader.
‘It is important to reiterate that facial recognition, while convenient, can only be used for opening your Galaxy device and cannot be used to authenticate access to features requiring stronger security, such as Samsung Wallet.’
If you use one of the affected devices. the experts urge you not to rely on facial recognition as your sole layer of security.
If your device can be tricked by a printed photo, Which? suggests switching to a more secure option, such as a fingerprint or PIN, to unlock the phone.
Some Android devices also have the option for an ‘app lock’, which requires a fingerprint specifically for sensitive apps like WhatsApp, banking apps, or email accounts.
Likewise, customers should avoid weak unlocking options such as patterns, which can easily be remembered by a ‘shoulder surfing’ thief.
A Fairphone spokesperson said: ‘The Fairphone (Gen. 6) utilizes 2D facial recognition, which is categorized as a Class 1 biometric under Android’s security framework. This is a widely adopted industry standard utilized by many leading smartphone brands and inherently shares the same limitations.’
Honor says it views facial recognition as a tool for convenience rather than for authorising sensitive transactions and warns users of this limitation.
Of the 208 devices tested a total of 133 failed the facial recognition test, however, Which? is unable to share the full list of affected devices.
Asus, HMD, Nokia, Realme, Samsung, Vivo, Xiaomi, Nothing, and Oppo did not respond to requests to comment from Which?.
