One of the problems with using passwords to prove identity is that passwords that are easy to remember are also easy for an attacker to guess, and vice versa.
Nevertheless, passwords are cheap to implement and well understood, so despite the mounting evidence that they are often not very secure, until something better comes along they are likely to remain the main mechanism for proving identity.
But maybe something better has come along. In research published yesterday in PeerJ, Rob Jenkins from University of York and colleagues propose a new system based on the psychology of face recognition called Facelock. But how does it stack up against existing authentication systems?
Exploiting the power of recognition
Our brains may not be wired to remember long strings of arbitrary characters, but they are wired to remember and recognise faces.
Our ability to recognise people we know – even when we haven’t seen them for a long time, even in a grainy photo with them looking the other way, even in sunglasses with a hat pulled low over their face – is quite extraordinary. Facelock tries to integrate this ability into an identity authentication system.
If we know someone well we can usually recognise them easily from an image, regardless of how poor the image is. However, this ability does not extend to unfamiliar faces. If we don’t know the person, we find identifying two different images of the same person very difficult.
This is the basis of the proposed authentication system. Someone seeking to authenticate their identity (the “subject”) is presented with a succession of pages, each containing nine faces of which one is a person well known to the subject. To prove identity, the face of the familiar person in each grid is clicked.
It is worth pointing out that systems such as Passfaces already do something similar. In Passfaces, during the set up phase, the user selects a number of faces that are presented to them. When logging in, the faces previously selected must be chosen.
Facelock differs in that it allows the subject to choose familiar faces that others are unlikely to recognise. The subjects in this study were told to choose “Z-list celebrities” via Google Image Search, such as obscure musicians, sportspersons or otherwise little-known people but who are of interest to them.
So does it work?
The authors present impressive statistics to support their Facelock approach: subjects detected familiar faces with 97.5% accuracy, compared to less than 1% for would-be attackers.
Both our ability to recognise faces of people we know and our inability to identify faces of the same person when we do not know them are confirmed by the study.
But the study went further. By choosing faces of people of interest to the subject, even a year later subjects were able to recognise them with an 86% success rate.
A possible weakness of the approach was also tested. It might seem that if someone knows us well, they might also know many of the same faces.
Interestingly, this was not the case. Partners and close friends were surprisingly poor at identifying faces known by the study participants (a 6.6% success rate). Colleagues of the subjects and people looking over their shoulder at their selections were even worse.
So this ability seems to satisfy the other requirement for an authentication mechanism, that of being unique to each person. That is, not even the people closest to us will be able to recognise the same faces that we can.
But there are downsides
Technical challenges are unlikely to limit such a system. As noted, systems such as Passface have been available for many years. But there are other issues that need solutions before such a system becomes a practical alternative to passwords.
The main issue is that setting up such a system will likely be very labour intensive. How would images be selected for the system? Images of well known figures would be unsuitable; they would have to be people who are not widely known.
Additionally, images of the same person would need to be sufficiently different that identifying the person is a challenge for anyone unfamiliar with the faces. How could we determine if they are different enough?
It is hard to see how such a system could be set up with anything like the ease that a password is created.
There are other issues as well. Would the system be susceptible to a brute force attack where every combination is tried until the correct one is found?
Some systems force regular password changes on users – should images be changed frequently as well? How would the images be secured? Password files make use of many security features to secure them – what would be necessary for image files? Could face recognition software be used to defeat such a system?
So has something better than passwords finally arrived? The idea certainly sounds interesting and the technical challenges in implementing such a system do not seem great. But there are difficult questions regarding cost, selection and security of images that need to be answered before it becomes a practical alternative to passwords.