The Galaxy S8’s facial scanner can, unsurprisingly, be tricked with a photo.
"Just days after Samsung unveiled the Galaxy S8’s new facial-scanning feature, someone has already successfully spoofed it. Bloggers at Marcianophone secured a S8 with their face and then tricked the phone with a selfie that was saved on another device. The S8 eventually unlocked, though it took a few seconds."
Added entry security protocols such as Fingerprint scanner and pin code and pattern lock will help you with this situation until Samsung address this issue.
The face unlock was only ever meant to be a low security / fast unlock system and lets me honest Google did face unlock 1st and the same thing happened to them lol, Samsung could improve it but it would make it slower so there is the whole convenience vs speed argument. I would myself like to see that mode have some options like a option to have it on if it's with in distance of a trusted unlock device such as a bluetooth item, or even a same second scan using the IR cam at the same time. Personally I will be using iris scanner and pattern lock but would love to see a unlock condition that was only active when my S2 was in range