The thing is, as quite a few people have pointed out, there's no way of knowing if the person involved trained the Galaxy Nexus and ICS to unlock using the photo, or his own face. It would be theoretically possible to train it using the photo, in which case unlocking it that way would make perfect sense.
In fact, an actual picture wasn't used. As the "break-in" was attempted at a recent Samsung event, an image of his face on a different smartphone was used. In the blurb at the YouTube video depicting the security flaw, he said:
"While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face.... I would love to do this test again but I don't have a Galaxy Nexus, it is VERY hard to come by as it is not launched yet, but I urge anyone with a Galaxy Nexus to do the same test. Program the device to recognise YOUR FACE and then try to trick the same device with a similar looking picture, it will work."
This goes against Bray's reassurances. When, after the Ice Cream Sandwich and Galaxy Nexus launch in Hong Kong last month, Koushik Dutta (Koush), the lead developer of CyanogenMod, Tweeted that “The face recognition unlock thing is really easily hackable. Show it a photo."
To that, Tim Bray, a Developer Advocate at Google, focusing on Android, replied, "Nope. Give us some credit."
It's difficult to understand why Bray would be exhibit false bluster if it wasn't really the case that the facial unlock features were that secure. On the other hand, if someone can take a snapshot of your face (and a full-on, or at least mostly full-on one) to boot, and then manages to get you to leave your phone where he or she can get at it, perhaps they deserve the phone after all.
Watch the demo, below.