Face ID is the only biometric security system on the iPhone X, and unlike other systems which use invariant landmarks on your face such as the distance between your eyes, it uses the shape of your face, which is much more changeable.
To make it reliable and easy to use Apple, therefore, had to make the system not only tolerant but also include a learning component, to adjust to normal changes such as growing a beard or losing or gaining weight.
It seems that tolerance is the Achilles heel of the system, making it pretty easy to trick not just by twins but also it appears brothers, one 4 years older than the other, who do not look much alike at all.
Russian application developer Salavat Khanov posted this video below shows how easy it is to get the iPhone X to allow unlocking by two different people.
— Salavat Khanov (@khanov) November 3, 2017
The key is that FaceID scans your face even when using the passcode, and assumes that person is the owner, and if you match close enough to the already trained template the template is updated with the new data.
Two other brothers documented the process a bit better, and it seems 4 successful PIN unlocks is enough for the iPhone to accept the new person is the original owner.
Apple has however anticipated this scenario, and it appears the temporary data is eventually discarded if your face returns to normal (or the regular user resume usage of their device).
It is however notable that we now know that owners need to look out for more than evil twins and that lending your phone to relatives may mean they have easy access to your phone in the near future also, even if you change your PIN.