Perhaps the most disturbing however was how they used taking a photo of someone’s face on the Surface 2 tablet and holding it up over their own face and logging in as someone else’s profile. This proves just about anyone with a tablet can snapshot and login as someone else if they have their system set to facial recognition for authentication only with no other security measure. Though it would have increased cost, infrared scanning that created a thermal map of the face in addition to physical characteristics would have been an easy way to thwart and prevent a photo on a tablet from being able to bypass the facial recognition. The IR camera of the Xbox One may not likely have had the same limitations for facial recognition if it also requires the IR snapshot of the face along with the characteristics.
Meanwhile, it does have a convenience factor and can be used to access your profile but should not be used as a substitute for authentication. It was a great article and I enjoyed seeing how much the team went through to create a mask that can be worn by anyone to allow others to login too.
Read the source article when you get a chance.