Update: OnePlus said that it is investigating the issue and it would need time for a final resolution for the issue. In the meanwhile, it is asking users to use password/PIN/fingerprint for security purposes. Here is the official response.
We designed Face Unlock around convenience, and while we took corresponding measures to optimise its security we always recommended you use a password/PIN/fingerprint for security. For this reason Face Unlock is not enabled for any secure apps such as banking or payments. We’re constantly working to improve all of our technology, including Face Unlock.
Earlier: Since Apple introduced Face ID with the iPhone X, the feature has become a rage among Android phones. In fact, OnePlus 5T was among the initial adopters of the feature. Continuing the legacy, OnePlus included the feature with its latest offering; the OnePlus 6 as well.
I printed my face to unlock my OnePlus 6 for the lulz… it worked ¯\_(ツ)_/¯ pic.twitter.com/rAVMq8JKBr
— rik (@rikvduijn) May 29, 2018
However, the face unlock on Android phones is not as secure as the Apple’s Face ID and today an owner of the OnePlus 6 proved it again by printing a photo of him and succeeded in unlocking the phone within few seconds. It also works with a black and white photo which raises serious security doubts about the feature. Google to strengthen the Face unlock feature which it introduced in Android 4.0.
Google added the liveness test” later that requires you to blink, though can also be fooled easily it at least added an extra security layer. Cut to the chase, OnePlus didn’t implement the liveness test because that slows down unlocking. The actual problem is that the front-facing camera cannot differentiate a flat surface and a real face. Apple has a workaround for this by using IR dot projector to map faces in 3D.
OnePlus at least should have included a disclaimer while registering the face data saying that it is less secure than other options. OnePlus is yet to comment on the issue.