Android 4.0 Ice Cream Sandwich brought a very striking innovation to the operating system, the Face Unlock, which allows us to unlock the screen by showing our face to the device. If it recognizes us, it unlocks; if it doesn't, we're locked out of the phone unless we know how to unlock it using the secondary system. The problem It was that it was very easy to use one photo of that person to unlock. In Jelly Bean An attempt has been made to solve this problem, however, there are already those who have found a way to circumvent security.
At Ice Cream Sandwich it was very simple. You took a owner's photographA photo you could take yourself with any other phone, or one you could obtain from their profiles and social media images. This was shown to the device, and the screen would unlock once it recognized the phone's owner. Google had to act to increase the security of this screen unlocking system. Thus, for Jelly Bean they opted for a small video, instead of an image. In that short video, the user blinks. What does this achieve? Well, a photograph is no longer valid. The photos are still, and it would be a huge coincidence to find two identical photos, where the only difference is that in one the subject is blinking and in the other not.
Well, some users have used their imagination and started testing, until they managed to unlock the device's screen from a still image. All it took was a little Photoshop, although Windows Paint itself would also work. To start, they take a picture of the owner, cover the eyes, painting them the same color as the skin, and below them, they put a black stripeGot it yet? Combine this image with the previous one, alternately. What we've achieved is one image in which the eyes are open, and another in which they're closed. And by alternating these, we're achieving the blinking effect. Above, we've included a video on how to do it.
How Face Unlock with Flashing Works on Jelly Bean
With Jelly Bean, Google incorporated an additional verification known as liveness check (life check) that requests a flicker before granting access. In the settings, it appears as an option that, when the screen wakes up, displays an indicator for the user to blink. This idea, already explored by some manufacturers such as Samsung, aims to differentiate a real face from a static photograph.
Even so, the system itself was classified by Google as low security and in mode experimental. This warning is important: Front camera-based 2D facial recognition does not measure depth, neither temperature nor IR reflections, so its reliability against impersonation attempts is limited.
In conditions of low light, complicated angles or changes in appearance (beard, glasses, makeup), the algorithm may fail or even admit vaguely similar faces. So, while blinking adds a layer, it doesn't make traditional face unlock a foolproof solution.
Why it remains vulnerable and how it has been mocked
The simplest spoofing attack starts from what we already mentioned: with A single photo (obtained from the owner's mobile phone, social networks or even printed), an attacker can prepare a montage to simulate blinking. The method described is simple and fast: in less than a minute the image is edited by covering the eyes with skin color and drawing a dark line To emulate the closing; alternating both images produces the flickering effect that fools the system.
Independent tests on mobile phones of different brands showed that a significant percentage of models can be fooled by a 2D photograph. Some manufacturers even classify their systems into security levels: those of the upper class seek to minimize counterfeits, while those of the lower class accept a higher riskThere are voluntary standards (e.g., forgery thresholds such as 1 in 50.000 attempts) that are not always met in 2D facial recognition.
This vector is based on the fact that a mobile phone camera does not always require actual depth nor complex movement patterns. If the algorithm accepts 2D sequences reproduced on a screen (or on paper), blinking is not enough. Furthermore, there are reports of situations where two people with a certain facial resemblance managed to gain access, reinforcing that the classic Face Unlock should be considered a comfort, not a strong barrier.
Although liveness checking seemed like a "simple and effective" solution, practice has shown that it remains a mechanism insufficient against attackers with a photo and basic editing skills. Therefore, even with flashing, it is recommended to set up a robust secondary method and check if the manufacturer indicates security class suitable for sensitive use.
Good practices and alternatives to protect your mobile phone
- Prioritize PIN or long password: A 6-digit or longer PIN or alphanumeric password provides superior resistance to unauthorized access.
- Use advanced biometrics: if your device has fingerprint sensor or facial recognition with depth/IR, prefer it over the basic 2D facial.
- Activate automatic lock: Reduces the wait time for the screen to lock and thus minimizes windows of opportunity.
- Hide sensitive content: Disables notification preview on the lock screen and prevents third parties from seeing codes or links.
- Smart Lock with discretion: Location-based trust features or nearby devices can be useful, but only in controlled environments.
- Avoid public frontal photos: Limits the exposure of high-quality portraits on social media that could fuel impersonation attempts.
- Turn off NFC when not in use: This way you can avoid payment transactions while your phone is unlocked or in the hands of third parties.
- Financial apps: many require a additional factor; always activate it and don't rely solely on your face to operate.
- Password managers: use a trusted one (e.g., 1Password) and requires additional verification for autofill.
- Third-party face lock apps: "Applock with Face" type solutions require permissions camera, storage and overlay; assess risks before using them.
2D vs 3D/IR Facial and Pop-Up Options
3D/IR Recognition: Systems with dot projection and infrared sensors capture depth and they resist 2D photos better. They are usually more reliable with glasses or moderate changes in appearance, although sometimes they are less fast than a pure 2D.
Polarization (Polar ID): specialized companies explore cameras that read the polarization signature of the skin to verify life and texture. This data can be protected in the TEE of the chip and be encrypted; with use, the model adapts and improves. It has even been suggested that, if it becomes popular, it could compete with the footprint in cost and accuracy, although with debates of privacy (possible remote identification requires very capable cameras).
Palm ID: reading of the Palm of the hand using conventional RGB/IR cameras. It boasts high speed and broad compatibility without specific hardware. It's an interesting way to strengthen authentication without relying on facial expressions.
Payments, banking and practical settings
To mobile payments, platforms usually require biometrics high level (higher classes). Even so, unlocking the phone with a weak facial can expose card data visible in apps, so it is advisable to reinforce with a PIN/fingerprint before authorizing operations.
In Android settings, the typical path is Settings > Security > Biometrics (names vary: "Passwords & Security", "Lock & Security", etc.). Many models allow you to add a alternative face and improve recognition if you use mask or accessories. There is also a trick spread by security firms: partially recording the face with the mask half covered; effectiveness depends of the device and it doesn't always work.
If your mobile does not integrate a reliable facial, go back to the footprint or PIN/password and avoid third parties with intrusive permissions. The order of preference For risk scenarios it is usually: long password > strong PIN > fingerprint > 3D/IR facial > basic 2D facial.
Jelly Bean: Context and other relevant improvements
Jelly Bean was a step forward in fluency and overall experience. Among its new features were Google Now, a proactive assistant with cards for useful information such as weather, traffic, flights, and the calendar. Access was achieved with a gesture from the home button to quickly display contextual information.
It also natively integrated the screenshots Using the power key and volume down combination, they reached the notification center for instant sharing or editing. For desktop management, removing apps and widgets became more straightforward. drag up the icon to remove them.
In the Phone and Contacts app, gestures like Swype They streamlined common actions: swiping right to call or swiping left to send a text message from the log. These are small details that, when combined, reinforced the feeling of a more polished system.
The addition of blinking to Face Unlock fit into that set of quick and practical settings. However, as a security mechanism it remained in the category of low robustness, useful for convenient unlocking but not for high-risk scenarios.
Blink face unlock was an attempt to raise the bar from static photos, but the approach 2D leaves room for techniques of impersonation affordable. The combination of a method strong, good practices and, where possible, technologies with depth or physical signs (IR, polarization, palm) is the most balanced way to maintain comfort without sacrificing safety.