Image: iStockphoto/metamorworks

My TechRepublic article How to enable facial recognition in the BitWarden mobile password manager wound up receiving feedback about Android facial recognition–not BitWarden. Most of the comments were about how weak Android’s facial recognition is, along with a smattering of messages about facial recognition being a bad idea in general. Due to my curious nature, I decided to test the Android facial recognition system to see if I could crack it.

After using the Google Pixel 4 for a few months, I’d already drawn my conclusions that the Android facial recognition system was the best on the mobile market–by a long shot. So I knew the complaints couldn’t be about the reliability of the feature. The only conclusion to draw was that Android facial recognition must be easy to crack, so I set out to do just that with a caveat: I’m no hacker. My efforts would not entail attempting to first break into the phone by means of malicious code or malformed URL. This was all about facial recognition. (Note: My testing was done on a Pixel 4 running the latest update of Android 10.)

Top Android security tips (TechRepublic download)

My first attempts

My first attempts to crack Android’s security system involved finding people with a similar facial structure than mine. Unfortunately, I was asked by those who participated to not print their photos or names, so you’ll have to take my word that those people I found did, in fact, have a somewhat similar facial structure. I’m not talking twins, but the shape, skin tone, and hair color were similar.

It should come as no surprise that none of the people I ran tests with could open my Pixel 4. Obviously, I was not able to get in touch with Johnny Galecki, who many say could easily be my twin. Is it possible that Johnny would be able to unlock my device? We’ll never know.

My next attempts

My next attempts at cracking Android’s facial recognition involved video. Using one of the many intro videos I’ve shot for TechRepublic, I attempted to unlock my Pixel 4 by playing the video and holding the device up to the monitor. There was a very clear image of the real me in full color video format.

No dice. No matter how many videos I tried, the facial recognition wouldn’t unlock.

Next up: Photos

Next came photos. I’d read so many instances of photos being able to unlock Android’s facial recognition system, so I assumed this would be the Achilles’ heel. As I’m also an actor and a fiction writer, I have plenty of headshots (recent and older headshots) that are ideal for testing.

It didn’t matter if the photo was on a computer monitor or in print format, or the angle, distance, lighting, or the times attempted, I was unsuccessful at unlocking the Pixel 4. These photos were professionally shot, so they are high-quality captures of my face. Some of them had been edited, some had not. I also attempted photos of different sizes–some of which were the exact size of my face. So if the Android facial recognition was, in fact, weak, one of those photos should have succeeded.

Still, no dice.

What gives?

After careful consideration, I’ve drawn a conclusion that isn’t meant to shame or blame but to highlight what I believe is at the heart of the concerns about the Android facial recognition system.

The pushback to facial recognition isn’t about the ability to crack it–it’s about the ability to abuse it. I’m not talking about the ability of a rogue user being able to abuse your mobile phone via facial recognition; this is about companies and governments being able to use facial recognition in such a way that might invade citizens’ privacy.

I believe that is why so many people are concerned about how much facial recognition systems have improved. If the Android system is any indication, it is certainly ready for prime time. However, as far as a system to secure your mobile device? You shouldn’t worry about it. Cracking the Android facial recognition system isn’t easy–just short of someone taking your phone and forcing you to unlock it, chances are slim it’s going to be cracked. Of course, if someone wants to get inside your phone that badly, it wouldn’t matter if the device used facial recognition, fingerprint biometrics, or a password.

Facial recognition on Android is an incredibly well executed and secure system–at least according to my real-world testing.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays