The new face of biometric access control

Passfaces’ authentication tool relies on the brain’s ability to know faces

Getting computers to recognize human faces is a multibillion-dollar business. One small company, though, is approaching the authentication problem from another direction by using computers to take advantage of the human brain’s facial-recognition ability.

Facial recognition is hardwired into the brain from infancy, said Paul Barrett, chief executive officer of Passfaces. The human brain can recognize familiar faces in 20 one-thousandths of a second without conscious effort, he said.

Passfaces’ software works on any computer with a graphical user interface, Barrett said. It creates a “passface” using a sequence of three to seven faces. Users see the images of the faces mixed in with eight decoy faces in a three-by-three grid. They must click on the faces in the correct order to gain access.

With passfaces, people don’t have to worry about remembering passwords or carrying tokens, Barrett said.

People are wary of the company’s approach, called cognometrics, because it’s so novel, said Jonathan Penn, a principal analyst at Forrester Research. But passfaces offer a superior alternative to passwords for single-factor authentication and don’t require physical tokens, which people can lose, he said.

The incidence of people forgetting their passfaces is extraordinarily low, Penn said. After he signed up, he didn’t return to the company’s Web site for a month, yet he got all the faces right the first time, he said.

The faces are assigned at random so algorithms can’t figure them out other than by brute-force attacks, Barrett said. Phishers would have to have a copy of all Passfaces’ example faces to fool users, he said.

For example, a user given five faces to remember has 95 possible combinations, or a 1 in 59,049 chance that someone else could randomly pick the same faces, Barrett said. That provides much more security than a four-digit PIN, which has only 10,000 possible combinations, he said.

The technology is immune to spyware, phishing and social engineering because remembering faces can’t be shared the way words or numbers can, Penn said. “This is something I couldn’t give away if I wanted to,” he added.

Passfaces’ software-only product suits situations in which people want to improve authentication without adding hardware, Penn said. “They don’t want something as cumbersome or as expensive as a token or smart card,” he said. It would also help business-to-business Web sites that deal with financial or other sensitive data.

The technology does have downsides, Penn said. It is less secure than a physical token and is susceptible to hackers who can look over the user’s shoulder to see the faces the user picks. People worried about such “shoulder surfing” should use physical tokens that provide one-time passwords instead, he said.

Cognometrics could disrupt current ID technology, replacing the majority of passwords and PINs used in nearly all online transactions, Barrett said.

Passfaces hopes to form partnerships with RSA Security, VeriSign, IBM and other companies to have them deploy its product as part of broader authentication solutions, Barrett said.

Bharosa provides virtual authentication

Bharosa is taking a new spin — and slide — on password and personal identification number input devices to improve the security of online authentication.

Bharosa Authenticator includes seven Virtual Authentication Devices that permit users to enter their password and PIN data securely, said Jon Fisher, the company’s chief executive officer. The program opens a window in which users click characters on a virtual keyboard or number pad.

Some devices include personalized text messages that confirm that the pop-up windows come from authorized sources. The tools use robust encryption to make each transaction unique and prevent anyone else from using the information to gain access, Fisher said.

Bharosa’s flagship device, Slider, requires first-time users to pick a symbol and click on arrow keys to slide it under characters of an alphanumeric password or PIN, Fisher said. On subsequent entry attempts, the software will grant access only if users enter all letters and numbers with the correct symbol. Bharosa also has a Wheel device that requires users to spin concentric wheels to input characters.

The technology thwarts phishing and other social engineering attacks by requiring users to perform actions only humans can do, Fisher said. The devices also sidestep spyware that grabs cookies and logs keystrokes, mouse clicks and screen captures, he said.


  • People
    2021 Federal 100 Awards

    Announcing the 2021 Federal 100 Award winners

    Meet the women and men being honored for their exceptional contributions to federal IT.

  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

Stay Connected