Facial recognition might seem like one of the safest ways to keep your phone secure, but experts say your device might be easy prey for hackers.
Which? research has revealed that 60 per cent of popular mobile phones can be easily fooled with printed photos.
This includes devices from several big brands including Motorola, Nokia, Nothing, OnePlus, and Fairphone.
Even top-of-the-range flagship models, such as the £1,099 Oppo Find X9 Pro, mistook pieces of paper for real human faces.
Which? warns that thieves could use this weakness to read your emails, reset passwords for sensitive accounts, access your pictures, and even view your Google Wallet history.
Lisa Barber, Which? Tech Editor, says: 'In this age of cutting-edge technology it almost seems unbelievable that phone cameras could be fooled by a printed photo - and yet they can be.
'The majority of Android phones we've tested in the last four years can be easily unlocked using a 2D image, and some manufacturers are still failing to adequately warn their users that this is the case.
'We'd urge affected users to set up alternative methods of security, like a fingerprint or a PIN, which are much more secure.'
Which? has warned that 60 per cent of popular phones have facial recognition that can be tricked by a printed photograph, including top-of-the-range devices like the OnePlus Nord 3 (pictured)
Which? has tested 208 phone models released since October 2022, 133 of which could be fooled by a simple photo.
And this problem isn't necessarily improving as phone technology gets better each year.
In 2024, a staggering 72 per cent of phones tested failed to detect a printout spoof - up by a fifth from the year before when 53 per cent failed.
In 2025, the figure fell slightly to a failure rate of 63 per cent, although still means the majority of devices could be fooled.
Many devices can be tricked because they rely on 2D facial recognition systems, which only look at a flat photo of the user's face.
Since these images lack depth, they can't tell the difference between a flat print-out of a person and their real face.
By contrast, the newest Google Pixel 8, Pixel 9, Pixel 10, and Samsung's Galaxy S26 all passed the test with flying colours.
Likewise, Apple's Face ID and some 'Pro' Android devices from brands such as Honor also proved much harder to trick.
The 21 phones that can be spoofed by printed photos:
- Fairphone 6
- Honor Magic6 Lite 5G
- Motorola Moto G75 5G
- Motorola Edge 60 Pro; Motorola Edge 60 fusion
- Motorola Moto G56 5G
- Motorola G86; Motorola Edge 40 Neo
- Motorola Moto g35; Motorola Moto g55
- Motorola Razr 50 Ultra
- Motorola Edge 50 Ultra
- Motorola Edge 50 Pro
- Motorola Moto G73; Nothing Phone (2a) Plus
- Nothing Phone (3a)
- Nothing Phone (3a) Pro
- Nothing Phone (3)
- Nothing Phone (2a)
- OnePlus 13R
- OnePlus 13
- OnePlus Nord 5
- OnePlus Nord CE5
- OnePlus 15
- OnePlus Nord 3 5G
This is because these devices use complex 3D mapping systems that project thousands of invisible dots onto the user's face to detect depth.
This ensures that the device can't be hijacked with something as trivial as a photograph of its owner.
Given that so many devices fail to offer serious protection from impersonators, Which? is concerned that brands are failing to warn users about the risks.
Which? defines an adequate warning as a clear, prominent notification during the setup process that explicitly cautions the user that their phone could be bypassed by a 2D photo or by someone who looks like them.
Importantly, this information should be clearly presented during the security setup rather than being buried in a separate 'terms and conditions' document.
Which? maintains that it cannot endorse any phone that failed the spoofing test and did not provide adequate warning, regardless of how it performs in other areas.
Some devices do feature on-screen messages during setup that caution the user not to rely on facial recognition for security, but the majority do not.
For example, Motorola and OnePlus have collectively released 27 phones since October 2022 which were easily fooled by a printed photograph.
Which? says that phone companies are not giving users sufficient warning about the risks. Devices like the Motorola Edge 60 Pro fail the test but do not give users any indication that their account could be compromised
But none of these devices gives what Which? determines to be an adequate warning to the owner.
Likewise, Nothing failed to give a sufficient warning to users of its five easily-duped devices launched since 2022.
In response, a Motorola spokesperson says: 'The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends that consumers use a PIN, password or pattern for enhanced security.
'Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN or password to secure their device.'
OnePlus pointed to its mandatory 'Statement on Using Face Recognition' which every user must read before they can turn the feature on, while Nothing did not respond to a request for comment.
However, Which? does note that a few brands have made significant improvements.
Xiaomi, for example, flagged the 2D photo security risks on 26 separate vulnerable handsets Which? tested; while Samsung has upfront warnings on nine of its devices.
If you use one of the affected devices. the experts urge you not to rely on facial recognition as your sole layer of security.
If your device can be tricked by a printed photo, Which? suggests switching to a more secure option, such as a fingerprint or PIN, to unlock the phone.
Some Android devices also have the option for an 'app lock', which requires a fingerprint specifically for sensitive apps like WhatsApp, banking apps, or email accounts.
Likewise, customers should avoid weak unlocking options such as patterns, which can easily be remembered by a 'shoulder surfing' thief.
A Fairphone spokesperson said: 'The Fairphone (Gen. 6) utilizes 2D facial recognition, which is categorized as a Class 1 biometric under Android's security framework. This is a widely adopted industry standard utilized by many leading smartphone brands and inherently shares the same limitations.'
Honor says it views facial recognition as a tool for convenience rather than for authorising sensitive transactions and warns users of this limitation.
Asus, HMD, Nokia, Realme, Samsung, Vivo, Xiaomi, Nothing, and Oppo did not respond to requests to comment from Which?.