GCN Lab Review | Passfaces relies on the user's memory
- By Michelle Speir Haase
- Jun 15, 2007
NETWORK GREETERS: Which of these faces is the gatekeeper? Only an authorized user knows for sure.
If complicated passwords confound you but you never forget a face, you'll be glad to learn about a relatively new class of personal authentication called cognometrics.
Cognometrics measures innate human cognitive abilities such as face recognition. Most people, in fact, are good at remembering faces because the ability is hardwired into the brain.
A company called Passfaces is taking advantage of this ability with a unique authentication product, also called Passfaces.
Instead of typing a password or swiping a fingerprint, users click on a series of facial images, or passfaces, to log in.
We tested Passfaces for Windows, which replaces the existing Microsoft Windows log-in module and is one of three Passfaces flavors ' the others are Passfaces Web Access and Passfaces Financial. It doesn't remove or alter the original code, though, so you can easily revert to the standard log-in procedure by uninstalling the software and resetting user passwords.Password compatible
Passfaces is fully scalable and meets Microsoft's requirements for complex passwords. It doesn't require an additional user database because it uses existing Active Directory.
The software works locally on workstations within a local-area network; for remote authentication, you can use a standard Web browser. Because Passfaces piggybacks on the standard Windows log-in procedures, you can also use it to authenticate locally on a laptop PC not connected to a network. Administrators assign users between one and seven passfaces. We used five, the default number.
As a first-time user, you must complete a familiarization process that lets you practice the authentication procedure several times.
We found this extremely helpful. We were daunted at first by the prospect of memorizing five new faces at once, but by the time we encountered the live log-in, we recognized our passfaces with no trouble. It's kind of like the first day at a new job: You may not remember your co-workers' names, but you can easily recognize them.
The software presents you with a three-by-three grid of nine faces at log-in. One of them is your first passface, and the other eight are decoys. When you click on the correct face, the program shows you a second grid containing your second passface and eight decoys.
The process continues until you have selected all your passfaces in sequence. In our case, we saw five grids because we had five passfaces.
Each time you log in, your grids are presented in the same sequence, but the faces change positions within their grids. For example, at one log-in your first passface might be in the top-left corner of the first grid, but the next time it could be at the bottom right. The first face will always come up first, however, and the last one last.
If you click on an incorrect passface, the program does not notify you until you have completed your entire sequence. That way, a potential hacker won't know which face(s) were incorrect.
Passfaces has several advantages over passwords and tokens. A memorized facial image can't be stolen or even given away very easily. Just try describing a face so another person could pick it out of a grid containing other faces with similar features. It can be done, but it's not easy.
This inability to give away the information the way you could words or numbers makes the system immune to spyware and phishing.
Each user's passfaces are assigned at random, so algorithms can't figure them out other than by brute force attacks. Phishers would have to have a copy of all the example faces in order to fool users.
A user with five faces to remember has 95 possible combinations, or a 1 in 59,049 chance that someone else would randomly choose the same faces. In contrast, a four-digit personal identification number has only 10,000 possible combinations.
What's more, while passwords can be forgotten and tokens lost, it's rare that someone would completely forget a face. We were able to recognize our passfaces almost immediately even after not seeing them for two weeks.
One of the biggest risks with Passfaces is that someone could look over your shoulder and see which faces you're clicking on. And the sneaky thief could then memorize the right faces, just as the valid user did.
In environments where this could be a problem, physical tokens that provide one-time passwords are a better option.
And while physical tokens are at risk of being lost or stolen, they do provide more security than Passfaces.Spoof-proof
Some agencies might want to improve authentication without adding hardware or tokens, which can be costly. Passfaces gives you a second factor of security relatively easily and without the need for hardcore user training, since everyone can look at the faces and use a skill they were born with. In that case, we think Passfaces would be an excellent choice.
It's a unique technology that takes advantage of something that is difficult to lose and no one can steal or spoof: your memory.