Which? has warned of a widespread security flaw in facial recognition systems on a large number of smartphones, after tests showed that the technology can be easily fooled using printed photos.
Research conducted by the organization revealed that 60% of popular smartphones can be unlocked using two-dimensional images, without requiring the person to be physically present in front of the camera. The test included 208 models released since October 2022, and found that 133 of them were susceptible to this type of deception.
The affected devices included phones from major brands such as Motorola, Nokia, Nothing, OnePlus, and Fairphone, as well as newer, supposedly more advanced models. The findings indicated that even some flagship phones, like the Oppo Find X9 Pro, treated printed images as real faces.
Which? warns that exploiting this vulnerability could allow hackers to access emails, reset passwords, access photos, and even view financial data linked to a Google wallet.
Lisa Barber, the organization's technology editor, says: "In this age of advanced technology, it's unthinkable that phone cameras could be fooled by a printed image, yet it actually happens."
The results show that the problem persists despite the annual development in smartphones, as 72% of the devices tested in 2024 failed to detect fake images, before the percentage dropped to 63% in 2025, without these improvements meaning that the danger has disappeared.
This flaw is due to the fact that a large number of devices rely on two-dimensional facial recognition systems, which verify a flat image of the face without depth analysis, making them unable to distinguish between a real face and a printed image.
Conversely, some newer devices have successfully passed the tests, such as the Google Pixel 8, Pixel 9, and Pixel 10, as well as the Samsung Galaxy S26, along with Apple's Face ID technology and some advanced Android devices from companies like Honor. These systems rely on 3D technology that projects thousands of points onto the face to measure depth and verify identity.
Which? urges users not to rely on facial recognition as their sole means of protection, and to resort to more secure alternatives such as fingerprinting or PIN codes, especially in sensitive applications.
It also notes that while some companies have already started adding warnings during phone setup, most devices do not adequately alert users to the risks of this technology, which the organization considers a failure to protect consumers.
In their responses, Motorola explained that the face unlock feature is intended to make it easier to use, while recommending the use of additional security measures such as a PIN or password. OnePlus indicated that users agree to a terms of service explaining the nature of the feature before activating it. Nothing has not issued an official comment.
Some companies have also confirmed improvements in risk alerting, with Xiaomi warning against the use of 2D facial recognition in a number of its devices, while Samsung provides similar warnings on some of its phones.
Which? concludes that a large number of phones still lack adequate protection against identity theft, urging users to be cautious and not rely entirely on this technology to secure their devices.
