By John E. Dunn of Sophos…
How easy is it to bypass the average smartphone’s facial recognition security?
According to the Dutch consumer protection organisation Consumentenbond, in the case of several dozen Android models, it’s a lot easier than most owners probably realise.
Its researchers tested 110 devices, finding that 42 could be beaten by holding up nothing more elaborate than a photograph of a device’s owner.
Consumentenbond offers little detail of its testing methodology but it seems these weren’t high-resolution photographs – almost any would do, including those grabbed from social media accounts or selfies taken on another smartphone.
While users might conclude from this test that it’s not worth turning on facial recognition, the good news is that 68 devices, including Apple’s recent XR and XS models, resisted this simple attack, as did many other high-end Android models from Samsung, Huawei, OnePlus, and Honor.
Confusingly, many of the models that failed were from the same vendors, including Asus, Huawei, Lenovo/Motorola, LG, Nokia, Samsung, BlackBerry, and Xiaomi. In the case of Sony, every model tested failed. A further six – an Honor and six LG models – only passed the test when put into a ‘strict’ mode.
Generally, expensive handsets performed better than cheaper ones but this wasn’t always the case. For example, Sony’s $1,000 Xperia XZ2 Premium (US version) failed while Motorola’s Moto G6 costing less than a third of that price tag passed. A full list of the models that passed the photo test can be found on Consumentenbond’s website.
Apple’s Face ID v the rest
Apple famously made a big deal of its Face ID technology when it launched the iPhone X in 2017 and for good reason – the model X was a premium model that needed to justify its hefty price tag.
The idea was that Face ID wasn’t only a convenient way for owners to unlock their iPhones, but the beginnings of a more sophisticated system capable of authenticating users.
Reliably identifying someone as being who they say they are sets a much higher bar for device security (in Face ID’s case, Apple says it’s a one in a million chance a random person could unlock a device).
That didn’t stop researchers looking for weaknesses in Face ID, which some claimed to have found within days of the iPhone X’s appearance using a naturalistic 3D mask.
Nevertheless, this still puts it way ahead of the same technology on even quite expensive Android handsets, which apparently can be fooled by fake 3D wax heads in ways that Face ID resists.
The bigger question is what expectations smartphone owners should have for their security when using this technology.
Right now, our advice for anyone owning a handset that failed Consumentenbond’s simple photograph test is to use an alternative security mechanism such as PIN or fingerprint.
Despite the advances made by Apple, facial recognition on many of today’s smartphones remains a promising technology that is some way from being reliable.