Article: "I was ushered into a dome-like studio containing 50 cameras [...] The final model took a few days to generate at the cost of just over £300."
I don't how that can be characterized as "easily." Possible, yes, but not easy. And it still didn't fool FaceID.
Maybe not easily in 2017, though there were other successful attempts to fool FaceID at the time [1], there are also successful and easier attempts to fool FaceID today [0] that can successfully bypass it.
This is why real security starts with a threat model.
If you are worried that someone will kidnap you, take you to a 3-D imaging system, hit you with an amnesiac so you forget that happened, build a mask realistic enough to unlock your iPhone – which that article noted could NOT be done for £300 — and then use that to unlock your devices you have to start by asking why they wouldn’t simply unlock the device when they had enough control over you to run an invasive scan. That’s a movie-plot threat, not something anyone reading this needs to worry about and if they did they should be investing in bodyguards.
Similarly, in the real world you have to make trade-offs. In this case, the alternative is using a password. Those are not only much, much easier to observe with a camera but also open rich new areas for an attacker to try: passwords are generated by normal people so they’re often weak, notoriously reused across multiple sites, and people are convinced by phishers to enter their passwords on the wrong site. Trying to protect against the Hollywood threats makes you more vulnerable to the kinds of things which befall many people on a daily basis.
