Facelock: Familiar faces could replace password recognition

Facelock: Familiar faces could replace password recognition

Summary: They call it familiarity-based graphical authentication. You'll call it genius. It's authentication for the rest of us.

TOPICS: Storage, Security

People use the same stupid passwords because they can't remember smart ones. But what if it wasn't words but images? British researchers have shown it works - and it's hard to hack.

In a paper published on PeerJ, British researchers Rob Jenkins, Jane L. McLachlan and Karen Renaud tested a knowledge-based authentication method that tests what you know, not what you remember. Based on our powerful recognition capabilities, the method tests whether we find a face familiar or not.

Using images for security is not a new idea; the Passface system was tested back in 2000. But Passface is susceptible to "over the shoulder" attacks since what's memorable to you is also memorable to observers.

Facelock's difference is that the system offers security based on our innate ability to clearly differentiate between familiar and unfamiliar faces:

When a face is familiar to the viewer, it can be identified from a wide range of different photographs, even when image quality is very poor. Importantly for this study, different images of a familiar face are almost never mistaken for different people. In contrast, our ability to identify unfamiliar faces from photographs is strikingly poor. Very often, different photos of an unfamiliar face are seen as different individuals. Thus, familiarity with a particular face determines one’s ability to identify it across changes in image. [Citations removed for clarity]

Try yourself with this example from the paper:

Screen Shot 2014-06-26 at 6.59.13 PM

Facelock presents a series of face arrays, where one face is familiar among unfamiliar ones. The user merely chooses the familiar face in each array.

The arrays can be presented in different orders with the faces in different positions. But it is our ability to recognize familiar faces in different images that provides the real security: Even if an attacker knows which faces we chose during one authentication, they are unlikely to recognize the same faces in different pictures.

Testing the theory
The researchers ran two studies with over 400 participants. They included: account holders; attackers who were strangers; and attackers who were personal acquaintances. They tested at one-week and one-year delays.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.

Account holders were asked to choose faces of Z-list celebrities: people famous in a narrow field, such as skiing or computer science that you knew; but not well-known to the public at large.

After one week, without writing anything down, 97.5 percent could authenticate their accounts, while zero-acquaintance attackers succeeded less than 1 percent of the time - and that only when the faces were well-known. Personal attackers only succeeded 6.6 percent of the time.

After a year a full 86 percent were able to authenticate. Amazing!

They also tested whether attackers given a clear view of the right faces could authenticate with different photos of the same faces. Only photos of distinctive people - i.e. bald with round glasses - were recognized in different photos.

No pictures of the Joker. Got it.

The Storage Bits take  The ubiquity of "forgot password?" links is proof passwords don't work for humans. And the ease of dictionary attacks on encrypted passwords is proof they don't work well for computers either.

But just as we can recognize a friend's walk before we can see their faces, our pattern recognition skills mean that photos of people we know could be a powerful authentication tool: easy to remember; hard to hack.

Venture capitalists need to pump some money into this idea. Passwords suck and as security consciousness continues to rise - and it will thanks to Mr. Snowden - this will find a ready market.

Comments welcome, as always. How would this work for you?

Topics: Storage, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not so sure ...

    "Personal attackers only succeeded 6.6 percent of the time."

    ONLY 6.6% of thieves get to clear my bank account? That's all right then!
    • This Idea sucks...period

      Some people have a warped mentality about replacing imperfect systems with something shiny and new. Is the password system perfect? No. Is the world we live in perfect? No. Two-factor authentication and recognition of a users IP address are very good security measures. This just sounds like a terrible idea to me.
  • How do the pictures get chosen, do I upload them so they are familiar...

    only to me ? If so, and I upload the same photo to a bunch of sites (or tend to chose the same Z-list celebrities on multiple sites), including one where I signed up for some junk, then the bad guys might have the picture to get into other sites. Need some more information about implementation. Sounds like it might have possibilities, but the devil is always in the details !
  • That's one possibility.

    That's one possibility. There are other things being worked on as well, such as biometrics and QR codes (using your cell phone to authenticate) and such.

    One issue will be adoption and standardization. Convincing everybody to switch to a new system, whatever it turns out to be, will likely prove to be a difficult battle.
  • Choosing pictures

    @jkohut That's where, in the study, z-list micro-celebs came in. I know what Alan Turing looks like but most people don't, so his photos could work. Einstein: too famous.

    But a better method might be for the site to have tens of thousands of pictures and ask you to load in 10 or more of a couple of people you know and associate those with your account name. With people taking billions of cell phone pics that shouldn't be too hard.

    R Harris
    • @R Harris, yes

      but if you chose Alan Turing on too many sites (and when I say YOU, I really mean the average Joe who more often has the bigger security problems than you do) AND specifically on THE WRONG site (phishing ), then you can have the same problem as using the same password on more than one site. I am not saying this is a BAD idea, but the implementation(and usage by users) of it may or may not prove itself over time.
  • As Heenan73 pointed out, it needs to be extremely accurate.

    While your numbers sound convincing at first blush (less than 1% for zero-acquaintance, 6.6% for personal acquaintances), Heenan73 is actually correct in that we need far better assurances. Even a false positive rate of 1% is enough to equate to millions of successful attacks in a large scale botnet.

    . . . and you haven't mentioned at all how accurate face recognition technology is. Asking people to identify identical photos is nice, but for large scale operations a hacker may try to employ technology rather than people to solve the problem, so we need to know how well or poorly technology handles the problem.
  • I am unable to login to my bank because they use this system!!

    VERY bad idea. My bank does not let me upload a familiar face. I am unable to remember which random face previously chosen from the other random faces presented. So, for this account, on-line banking is a no go! Besides, how can any password vault program remember? Answer, they cannot.
    Sample of 400 people is hardly a good survey to draw conclusions from.
    • No they don't

      The whole basis of the system is the use of familiar faces. Your bank uses another, different, flawed system as you have discovered...
  • Ugh

    Reminds me of a cartoon episode on "The Jetsons" where Jane wears a mask early in the morning to answer a visual phone call. During the call, her friend sneezes and loses her mask and looks like she just rolled out of bed... kind of like Jane did before she put on the mask.

    Not a good authentication method. Maybe combined with a second method for two-level authentication it would be OK, but definitely not by itself.
  • Am I missing something here?

    Surely, for Facebook in particular, it is often important to keep people who know the people we know out of parts of our lives that we don't choose to share?
    A simple example: in schools and colleges, cyber-bullies will often know everyone their victim knows.
    I don't think this is quite the breakthrough that is being suggested.
  • What about a familiar attacker?

    It seems like a familiar attacker, say an ex after a messy divorce, would be able to get into all your stuff.
    Buster Friendly
  • This is old hat

    Patent application US20030177366 from 2002 already describes the use of pictures of familiar scenes, not only faces, as a way to authenticate a user for login. In that patent application it also present ways to make it privacy enhanced.
  • how about the reverse

    Keep a picture of 'Joe Bag-o-donuts
    on you and only let the system open with his picture. visual recognition of specific unknown individual. known only to you.
  • Reminds me of

    blackberry 10. You can use a picture to unlock your phone. You drag a specific number, say the number 1, to a specific place on a picture, say a rock, and the phone unlocks. You can change the number and the picture and where the unlock point is whenever you want. Quite clever actually.
    • Similar to windows 8 photo unlock

      They use a gesture instead of a number and a point, technically even more entropy, I think. Also, since it's not a limited 3x3 grid like on android, you could make a harder to read smudge pattern(like a 450 degree counterclockwise rotation). There might even be some kind of formula that shows the most amount of unique information you can memorize with the least effort and bias(there is a natural bias to just make a password "password" or a short memorable word).

      Breaking it down to more basic information seems to be better than relying on existing knowledge, if only because general knowledge is harder to control, even if you lowered the barrier for memorization, the amount of different combinations stops mattering when you can't control what happens to the required knowledge. For instance, unless you maintain a totally private database of faces and names, the system relies on you having enough private photos of people you know, to then upload all of those photos, and name the people in those photos yourself. If the images/names are available to the public(or only to your friends, like on facebook) they can recreate the database and match the images with a computer 1:1, which is probably as secure as it'll be to people who know you.

      I just can't imagine a scenario where you'd want the additional amount of random combinations when the required combination becomes more obvious.
  • Erm...

    "The ubiquity of "forgot password?" links is proof passwords don't work for humans. And the ease of dictionary attacks on encrypted passwords is proof they don't work well for computers either."

    I guess I'm in the minority, then. I can remember eight digits of nonsense far more easily than I can recognize most people's faces.