Face unlock is all the rage these days now that Apple has invented it for the iPhone X. Of course, face unlock has existed on Android for years—it just wasn't very good. Some device makers are returning to the concept, among them OnePlus. The OnePlus 5T and new OnePlus 6 have face unlock, but it's not as secure as other security options. In fact, one owner has shown that a printed photo is enough to bypass OnePlus' face unlock.
As you can see in the video, it only takes a few seconds to get the phone unlocked with a printed photo. It also works with a black and white photo.
I printed my face to unlock my OnePlus 6 for the lulz... it worked ¯_(ツ)_/¯ pic.twitter.com/rAVMq8JKBr
— rik van duijn (@rikvduijn) May 29, 2018
Anyone who has been an Android user for long enough might remember when Google added face unlock in Android 4.0. It was a neat demo, but we all quickly realized that it was easy to defeat with a photo of the phone's owner. Google added a "liveness test" later that required you to blink, but even that was simple enough to fool with a video or photo animated to "blink." OnePlus doesn't even implement the liveness test because that slows down unlocking.
The problem then (and to this day) is that a regular front-facing camera can't differentiate between a flat surface and a real face. Apple got around this by using an IR dot projector to map faces in 3D. Meanwhile, Samsung's face unlock works together with iris scanning. If the device is unlocked with your face only, you can't access more secure apps and services like Samsung Pay until you verify with a secure method.
OnePlus does include a disclaimer when you configure face unlock, noting that it's less secure than other options. However, it does push face unlock aggressively during the setup process. Our own Ryne Hager tested this workaround and was unable to get the OnePlus 6 unlocked with a black and white photo of middling quality (see above). So, you might need a rather high-quality printer to pull it off. We've reached out to OnePlus for comment and will report back if we hear anything.
We've gotten the following explanation from OP.
"We designed Face Unlock around convenience, and while we took corresponding measures to optimise its security we always recommended you use a password/PIN/fingerprint for security. For this reason Face Unlock is not enabled for any secure apps such as banking or payments. We’re constantly working to improve all of our technology, including Face Unlock."
So, you can't access secure apps with face unlock. For example, Google pay will prompt for additional authentication if you attempt a payment. However, face unlock is still pushed hard during the setup process, and it provides access to plenty of your data.