Here’s another friendly reminder that, if your Android phone doesn’t have some kind of special hardware for face unlock, the feature probably isn’t very secure. The latest phone to implement face unlock with nothing but the normal front camera is the Galaxy S10, and users across the web are reporting that the feature is easily confused or defeated.
There are a number of reports that say—surprise!—a 2D image sensor can be fooled by a 2D image. The Verge was able to unlock the device with a video, and YouTube channel Unbox Therapy was able to unlock the S10 just by playing one of its public channel videos in view of the camera. The worst example is probably from AndroidWorld.it, which was able to unlock the Galaxy S10 by waving a still photo around in front of the device.
The Galaxy S10 can also reportedly have trouble telling different people apart. Security Researcher Jane Wong was able to unlock her brother’s phone with her face.
Samsung used to have a more secure face-unlock system that didn’t rely on a simple camera. Starting with the Galaxy Note 7, Samsung implemented extra hardware for face unlock, which used an IR LED and an extra front camera to scan your iris. This hardware lasted through the Galaxy S8, Note 8, S9, and Note 9, but was removed on the Galaxy S10. Presumably Samsung just didn’t have room for the extra hardware on the front of the phone this generation. The Galaxy S10 uses super slim bezels that don’t even have room for a camera. Instead, the camera is placed under the display, and pixels in the way of the lens are just cut out of the screen. More front sensors would have meant more display holes, so Samsung cut the extra hardware.
This is all exactly the same problem Samsung has years ago on the Galaxy S8, which could use a camera-based face unlock instead of the iris scanner. Again, it was fooled with a photo. Back then, you could just ignore the feature and use iris unlock instead, but on the Galaxy S10, camera-based face unlock is the only biometric option in addition to the in-screen fingerprint reader. Fooling a camera-based face unlock with a photo has been a thing on Android going all the way back to 2011, but for some reason smartphone companies keep using the feature.