Andy Greenberg, writing for Wired:
On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they’d cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.
In the video posted to YouTube, shown above, one of the company's staff pulls a piece of cloth from a mounted mask facing an iPhone X on a stand, and the phone instantly unlocks. Despite the phone's sophisticated 3-D infrared mapping of its owner's face and AI-driven modeling, the researchers say they were able to achieve that spoofing with a relatively basic mask: little more than a sculpted silicone nose, some two-dimensional eyes and lips printed on paper, all mounted on a 3-D-printed plastic frame made from a digital scan of the would-be victim's face.
I remember when android brought out the first facial recognition to unlock phones, a friend was excited that no one but her could unlock the phone, and I took her picture, held the picture to the phone and it unlocked it.
After reports of that, Google made the facial recognition look for blinking to make sure it was an actual face (video still got around that).
Face ID was never going to be unbreakable, there's never been a security measure invented yet that can't be beaten.
Heck, even Touch ID has been broken multiple times, but everybody keeps using it.
But in the case of Face ID and Touch ID, it involves getting something from the phone owner.
Touch ID involves getting a mold of the phone owners finger that can then be placed in clay (play-doh for example).
And to break Face ID:
The researchers concede, however, that their technique would require a detailed measurement or digital scan of a the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face. That puts their spoofing method in the realm of highly targeted espionage, rather than the sort of run-of-the-mill hacking most iPhone X owners might face
if you have that much access to someone's face, there are easier ways of opening their phones.