Can’t one simply not use the facial recognition feature?
Yes, one can use a numeric (or longer alphanumeric) code for entry.
Or she can just be aware that one other particular person can unlock her phone.
There isn’t a fingerprint sensor to fall back on.
This, however, is akin to discovering that someone else happens to have the same numeric code. With 4 or 6 digits, vs tens of millions of users, odds are a couple people who know each other are likely to use the same code.
Key point here is it’s ONE particular pair of people who happen to look similar enough (to the device) that one can open the other’s phone. This is NOT a case of total security failure (as some will construe it). And this is a biometric convenience, not full-on data security; it’s akin to having a locked front door knowing full well a willful & motivated thief could easily break a window and climb in your house - to wit if you want serious security, use a passphrase > 6 characters, not merely face or finger biometrics.