The team collected photos of 20 volunteer subjects from online sources, like a real digital identity thief or stalker would do. They then created 3D models of the volunteers' faces, added some facial animations and tweaked their eyes so they'd look like they were looking at the camera. In cases wherein they didn't find any that showed the subject's whole face, they recreated the missing parts, even those areas' shadows and texture. What makes that even more impressive is that some of the volunteers are security researchers themselves, and the team were only able to dig up three or so low-quality photos of them online.
Since the researchers' 3D models have shadows and even move a bit, they were able to fool four out of five security systems they tested 55 percent to 85 percent of the time. According to Wired, team member True Price said during the team's presentation at Usenix security conference:
"Some vendors -- most notably Microsoft with its Windows Hello software -- already have commercial solutions that leverage alternative hardware. [In Hello's case, that hardware is Tobii's eye-tracking camera.] However, there is always a cost-benefit to adding hardware, and hardware vendors will need to decide whether there is enough demand from and benefit for consumers to add specialized components like IR cameras or structured light projectors."
A real face would would give off infrared radiation, after all, which could be an added layer of protection. If you want to read more about the team's method and results, you can check out the the full paper they published on Wired.