OnePlus is facing criticism after a video was posted to Twitter displaying an easy way to bypass the face unlock feature on its new OnePlus 6 device. The authentication method is surprisingly fooled by just a photo of the device owner, and Twitter user rikvduijn posted another comment noting that even a black and white photo of the person worked.
Security flaws in face unlock technologies have been spotted with almost every new release. Android phones were prone to be beaten by photos when Google unveiled it with the Android 4.0, and smartphone makers continue to struggle with how to make front-facing cameras tell the difference between a human face and a photo of a person.
Both Apple and Samsung have found ways around it with their most recent releases, but Samsung does not allow you to unlock certain apps with just face ID.
SEE: Mobile device computing policy (Tech Pro Research)
In response to the controversy, OnePlus acknowledged faults in the system and implored their customers to use passwords, PIN numbers, or the thumbprint scanner for their own security.
“We designed Face Unlock around convenience, and while we took corresponding measures to optimise its security we always recommended you use a password/PIN/fingerprint for security,” OnePlus representatives told Phone Arena. “For this reason Face Unlock is not enabled for any secure apps such as banking or payments. We’re constantly working to improve all of our technology, including Face Unlock.”
According to Engadget and Android Police, the technology fails because it does not take a 3D map of a face or conduct an iris scan to ensure that a face is in front of it.
“Rather than mapping facial structures into a 3D model as per iPhone X, the OnePlus 6’s face unlock determines the distance between different areas on your face, and compares that image to the original scan,” Engadget reported.
Face Unlock is available on both the OnePlus 5T and the new OnePlus 6. In general, researchers have been able to hack most facial identification softwares, even the highly publicized one in the iPhone X. Despite what most companies continue to claim, the faulty ID software should almost always be accompanied by passwords or other protections.
Cybersecurity expert Leigh-Anne Galloway told our sister site ZDNet last year that technologies like these will continue to make a significant amount of mistakes as they improve over time.
“To get a reliable authentication system, you have to be able to accurately measure and compare some unique physiological features,” Galloway told ZDNet. “But if you get these features from a smartphone or another simple device, it means shaky-hands-quality pictures and city-noise-backgrounding voices. This kind of biometric authentication will make lots of mistakes.”
The big takeaways for tech leaders:
- The Face Unlock for OnePlus 5T and the new OnePlus 6 can be easily bypassed using a photo of the device owner.
- OnePlus advises that all users have a password or PIN code to protect themselves if they are using the Face Unlock feature.