The technology tested was simply too simplistic, and not a reflection on face recognition and biometrics in general. An effective “liveness” test must be part of any credible biometric test. Ideally it should be done seamlessly, without requiring the user to do anything other than submit a biometric signal. In the case of face recognition, with a video sensor, there is no shortage of effective, fast and transparent liveness tests that can be applied. I’d suggest the researchers tackle a state of the art technology and see what the results look like.
There are several techniques that readily come to mind, unfortunately they are all potentially somewhat sensitive to my current company and I'm not at liberty to disclose. With a little thought, I'm sure our colleagues here could come up with a solid list of measurable attributes that would not be present in a video playback, or at the least would register as sufficiently different, to serve as liveness detectors. Once our techniques make it into a patent, I will be more than happy to discuss them in detail with fellow IPVMers.
Personally I do not think that it is the worst idea ever to use facial recognition for the verification (access control) but at the same time it is not the best. IMO for the access control it is better to use a two-factor authentication in any case and additional value of face that it can be captured and stored for the reference.
There are different ways to avoid spoofing by presenting an image or video on a handheld device :) One of the best is to have two cams or a specific sensor and get a stereo image to be able to create a 3D model / measure depth. Other promising include illumination on capture, working with infrared images, analyzing background etc.
Biometrics does not mean the 100% reliability. It makes life harder for intruders but anything can be cracked.