The new face of biometric access control

Passfaces’ authentication tool relies on the brain’s ability to know faces

Getting computers to recognize human faces is a multibillion-dollar business. One small company, though, is approaching the authentication problem from another direction by using computers to take advantage of the human brain’s facial-recognition ability.

Facial recognition is hardwired into the brain from infancy, said Paul Barrett, chief executive officer of Passfaces. The human brain can recognize familiar faces in 20 one-thousandths of a second without conscious effort, he said.

Passfaces’ software works on any computer with a graphical user interface, Barrett said. It creates a “passface” using a sequence of three to seven faces. Users see the images of the faces mixed in with eight decoy faces in a three-by-three grid. They must click on the faces in the correct order to gain access.

With passfaces, people don’t have to worry about remembering passwords or carrying tokens, Barrett said.

People are wary of the company’s approach, called cognometrics, because it’s so novel, said Jonathan Penn, a principal analyst at Forrester Research. But passfaces offer a superior alternative to passwords for single-factor authentication and don’t require physical tokens, which people can lose, he said.

The incidence of people forgetting their passfaces is extraordinarily low, Penn said. After he signed up, he didn’t return to the company’s Web site for a month, yet he got all the faces right the first time, he said.

The faces are assigned at random so algorithms can’t figure them out other than by brute-force attacks, Barrett said. Phishers would have to have a copy of all Passfaces’ example faces to fool users, he said.

For example, a user given five faces to remember has 95 possible combinations, or a 1 in 59,049 chance that someone else could randomly pick the same faces, Barrett said. That provides much more security than a four-digit PIN, which has only 10,000 possible combinations, he said.

The technology is immune to spyware, phishing and social engineering because remembering faces can’t be shared the way words or numbers can, Penn said. “This is something I couldn’t give away if I wanted to,” he added.

Passfaces’ software-only product suits situations in which people want to improve authentication without adding hardware, Penn said. “They don’t want something as cumbersome or as expensive as a token or smart card,” he said. It would also help business-to-business Web sites that deal with financial or other sensitive data.

The technology does have downsides, Penn said. It is less secure than a physical token and is susceptible to hackers who can look over the user’s shoulder to see the faces the user picks. People worried about such “shoulder surfing” should use physical tokens that provide one-time passwords instead, he said.

Cognometrics could disrupt current ID technology, replacing the majority of passwords and PINs used in nearly all online transactions, Barrett said.

Passfaces hopes to form partnerships with RSA Security, VeriSign, IBM and other companies to have them deploy its product as part of broader authentication solutions, Barrett said.

Bharosa provides virtual authentication

Bharosa is taking a new spin — and slide — on password and personal identification number input devices to improve the security of online authentication.

Bharosa Authenticator includes seven Virtual Authentication Devices that permit users to enter their password and PIN data securely, said Jon Fisher, the company’s chief executive officer. The program opens a window in which users click characters on a virtual keyboard or number pad.

Some devices include personalized text messages that confirm that the pop-up windows come from authorized sources. The tools use robust encryption to make each transaction unique and prevent anyone else from using the information to gain access, Fisher said.

Bharosa’s flagship device, Slider, requires first-time users to pick a symbol and click on arrow keys to slide it under characters of an alphanumeric password or PIN, Fisher said. On subsequent entry attempts, the software will grant access only if users enter all letters and numbers with the correct symbol. Bharosa also has a Wheel device that requires users to spin concentric wheels to input characters.

The technology thwarts phishing and other social engineering attacks by requiring users to perform actions only humans can do, Fisher said. The devices also sidestep spyware that grabs cookies and logs keystrokes, mouse clicks and screen captures, he said.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.