The new face of biometric access control

Passfaces’ authentication tool relies on the brain’s ability to know faces

Getting computers to recognize human faces is a multibillion-dollar business. One small company, though, is approaching the authentication problem from another direction by using computers to take advantage of the human brain’s facial-recognition ability.

Facial recognition is hardwired into the brain from infancy, said Paul Barrett, chief executive officer of Passfaces. The human brain can recognize familiar faces in 20 one-thousandths of a second without conscious effort, he said.

Passfaces’ software works on any computer with a graphical user interface, Barrett said. It creates a “passface” using a sequence of three to seven faces. Users see the images of the faces mixed in with eight decoy faces in a three-by-three grid. They must click on the faces in the correct order to gain access.

With passfaces, people don’t have to worry about remembering passwords or carrying tokens, Barrett said.

People are wary of the company’s approach, called cognometrics, because it’s so novel, said Jonathan Penn, a principal analyst at Forrester Research. But passfaces offer a superior alternative to passwords for single-factor authentication and don’t require physical tokens, which people can lose, he said.

The incidence of people forgetting their passfaces is extraordinarily low, Penn said. After he signed up, he didn’t return to the company’s Web site for a month, yet he got all the faces right the first time, he said.

The faces are assigned at random so algorithms can’t figure them out other than by brute-force attacks, Barrett said. Phishers would have to have a copy of all Passfaces’ example faces to fool users, he said.

For example, a user given five faces to remember has 95 possible combinations, or a 1 in 59,049 chance that someone else could randomly pick the same faces, Barrett said. That provides much more security than a four-digit PIN, which has only 10,000 possible combinations, he said.

The technology is immune to spyware, phishing and social engineering because remembering faces can’t be shared the way words or numbers can, Penn said. “This is something I couldn’t give away if I wanted to,” he added.

Passfaces’ software-only product suits situations in which people want to improve authentication without adding hardware, Penn said. “They don’t want something as cumbersome or as expensive as a token or smart card,” he said. It would also help business-to-business Web sites that deal with financial or other sensitive data.

The technology does have downsides, Penn said. It is less secure than a physical token and is susceptible to hackers who can look over the user’s shoulder to see the faces the user picks. People worried about such “shoulder surfing” should use physical tokens that provide one-time passwords instead, he said.

Cognometrics could disrupt current ID technology, replacing the majority of passwords and PINs used in nearly all online transactions, Barrett said.

Passfaces hopes to form partnerships with RSA Security, VeriSign, IBM and other companies to have them deploy its product as part of broader authentication solutions, Barrett said.

Bharosa provides virtual authentication

Bharosa is taking a new spin — and slide — on password and personal identification number input devices to improve the security of online authentication.

Bharosa Authenticator includes seven Virtual Authentication Devices that permit users to enter their password and PIN data securely, said Jon Fisher, the company’s chief executive officer. The program opens a window in which users click characters on a virtual keyboard or number pad.

Some devices include personalized text messages that confirm that the pop-up windows come from authorized sources. The tools use robust encryption to make each transaction unique and prevent anyone else from using the information to gain access, Fisher said.

Bharosa’s flagship device, Slider, requires first-time users to pick a symbol and click on arrow keys to slide it under characters of an alphanumeric password or PIN, Fisher said. On subsequent entry attempts, the software will grant access only if users enter all letters and numbers with the correct symbol. Bharosa also has a Wheel device that requires users to spin concentric wheels to input characters.

The technology thwarts phishing and other social engineering attacks by requiring users to perform actions only humans can do, Fisher said. The devices also sidestep spyware that grabs cookies and logs keystrokes, mouse clicks and screen captures, he said.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group