The illusion of security: why Android face unlock often fails even basic scrutiny

Facial recognition has become a standard feature across Android smartphones, yet its real-world reliability is increasingly questioned. A new study by the British consumer organization Which? reveals that in many cases, this technology prioritizes convenience over security — and can be bypassed within seconds using a simple photo of the device owner.

A systemic issue, not isolated flaws

As part of a large-scale evaluation launched in 2022, researchers analyzed 208 smartphone models. The findings are concerning: 64% of devices (133 models) failed to distinguish a real face from a flat image. In practical terms, this means access can often be gained simply by presenting a photograph to the camera.

The trend is equally troubling:

• 53% failure rate in 2023;
• 72% in 2024;
• a slight improvement to 63% in 2025 — still a majority.

These figures point to a systemic weakness rather than occasional implementation errors.

A technological trade-off: convenience vs. security

At the core of the issue lies the widespread use of 2D facial recognition. Most Android devices rely solely on front-facing camera data without depth sensing. As a result, the system essentially compares one flat image to another, lacking the ability to verify “liveness.”

This limitation makes it inherently vulnerable to spoofing via photographs.

In contrast, more advanced solutions such as Face ID by Apple use 3D scanning techniques, projecting thousands of invisible points to build a detailed facial map — significantly enhancing security.

Industry-wide pattern: no clear outliers

The vulnerability spans a wide range of manufacturers, including Motorola, OnePlus, Samsung, Xiaomi, Oppo, Vivo and others.

Beyond the technical limitations, transparency is also an issue. Not all manufacturers clearly inform users about the potential risks of face unlock.

Notably, Motorola and OnePlus released numerous models without adequate warnings. Similar concerns apply to Nothing.

Limited progress: isolated improvements

Despite the broader trend, some manufacturers have made progress. For instance, the Samsung Galaxy S26 lineup successfully passed the tests, unlike earlier generations.

Flagship devices from Google (Pixel 8, 9, and 10) also show improved resilience thanks to enhanced machine learning, even within a 2D framework.

However, such cases remain exceptions rather than the norm.

Practical implications: where the real risk lies

For users, this means that face unlock on most Android devices should be viewed as a convenience feature rather than a robust security mechanism. This is particularly critical when sensitive data is involved — banking apps, work accounts, or private communications.

Experts at Which? recommend:

• using a PIN or password as the primary authentication method;
• enabling fingerprint recognition;
• setting a SIM PIN;
• activating additional app-level protection (e.g., App Lock).

Conclusion: security remains the user’s responsibility

Despite years of scrutiny, the industry has yet to deliver a universal solution. Manufacturers continue to balance usability and protection, often favoring the former.

As a result, the burden of security ultimately falls on the user — who must decide between instant access and meaningful data protection.