Recently I posted this theoretical spoofing attack in a comment. I'm glad to know they've put in the appropriate measure to detect it - randomly blinking the IR dot pattern, requiring any spoofed videos to react to the blinking with very near zero lag (likely sub-microsecond). Specifically, the last step in this process could be detected because the generated IR video would have a static dot pattern.
How to (not) hack FaceID:
You'd need:
1. 2 phones (at least 1 with an IR camera, such as another Iphone X)
2. a helper app
3. access to 10+ photos of the victim (Facebook typically)
4. a small mirror
With the helper app:
1. capture the suspect's phone's unique IR dot pattern by shining their phone at white piece of paper, recording it with the helper app (the helper phone needs an IR camera of course, such as another Iphone X)
2. the app makes 3d model of persons face from the FB pictures
3. the app generates two animated videos of their face, 1 just a normal color video and another simulated "IR video" with the unique dot pattern applied
4. now you need to show the 2 videos to FaceID, using the mirror to show the color video to the color camera and the IR video the IR camera. Note: It's still TBD which wavelengths the IR camera are sensitive to and which wavelengths smartphone screens can put out, so the IR video device may need to be specially made...
Theoretical countermeasure: I get an IR visible tattoo that you can't see in my Facebook pictures but FaceID can. I think the level of equipment needed to pull your attack off couldn't be done off-the-shelf. It seems reasonable that IR camera would scan in detail greater than that of a typical display (say, 500ppi) and it needs 100,000dpi resolution. Then you need bigger displays, advanced optics to reduce it to the expected size without distortion, and so on...
How to (not) hack FaceID: You'd need:
1. 2 phones (at least 1 with an IR camera, such as another Iphone X)
2. a helper app
3. access to 10+ photos of the victim (Facebook typically)
4. a small mirror
With the helper app:
1. capture the suspect's phone's unique IR dot pattern by shining their phone at white piece of paper, recording it with the helper app (the helper phone needs an IR camera of course, such as another Iphone X)
2. the app makes 3d model of persons face from the FB pictures
3. the app generates two animated videos of their face, 1 just a normal color video and another simulated "IR video" with the unique dot pattern applied
4. now you need to show the 2 videos to FaceID, using the mirror to show the color video to the color camera and the IR video the IR camera. Note: It's still TBD which wavelengths the IR camera are sensitive to and which wavelengths smartphone screens can put out, so the IR video device may need to be specially made...