At an iPhone X launch event recently, Apple's Senior Vice President Phil Schiller claimed that Face ID can distinguish real human face from masks, thanks to its artificial intelligence (AI).
Using a 3D printer, the team at Vietnamese security firm Bkav created a mask that cost them $150.
"Nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition nine years ago). The skin was also hand-made to trick Apple's Artificial Intelligence," Bkav said in a blog post.
"The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID," said Ngo Tuan Anh, Bkav's Vice President of Cyber Security.
The Bkav security experts who also posted a video on how they did this said Face ID can be fooled by mask, which means it is not an effective security measure.
In 2008, Bkav was the first company in the world to show that face recognition was not an effective security measure for laptops when Toshiba, Lenovo and Asus used this technology for their products.
"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," the firms said on its FAQ page.
"In future, we might use smartphones with 3D scanning capabilities (like Sony XZ1); or set up a room with a 3D scanner, a few seconds is enough for the scanning," it added.
Face ID projects more than 30,000 invisible IR dots and claims to only unlocks iPhone X when customers look at it and is designed to prevent spoofing by photos or masks.
Apple's Face ID technology uses a TrueDepth camera system made up of a dot projector, infrared camera and flood illuminator, and is powered by A11 Bionic to accurately map and recognise a face.
According to the firm, the recognition mechanism is not as strict as one thinks and Apple seems to rely too much on Face ID's AI.
"We just need half a face to create the mask. It was even simpler than we ourselves had thought," Bkav said.
According to the firm, if exploited, Face ID can create problems.
"Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue.
"Security units' competitors, commercial rivals of corporations and even nations might benefit from our Proof of Concept," Bkav noted.
As for biometric security, fingerprint is the best, said the firm which discovered the first critical flaw in Google Chrome just days after its launch in 2008.