Is Facelock the password alternative we’ve been waiting for?

So does it work?
The authors present impressive statistics to support their Facelock approach: subjects detected familiar faces with 97.5 percent accuracy, compared to less than 1 percent for would-be attackers.

Both our ability to recognize faces of people we know and our inability to identify faces of the same person when we do not know them are confirmed by the study.

But the study went further. By choosing faces of people of interest to the subject, even a year later subjects were able to recognize them with an 86 percent success rate.

A possible weakness of the approach was also tested. It might seem that if someone knows us well, they might also know many of the same faces.

Interestingly, this was not the case. Partners and close friends were surprisingly poor at identifying faces known by the study participants (a 6.6 percent success rate). Colleagues of the subjects and people looking over their shoulder at their selections were even worse.

So this ability seems to satisfy the other requirement for an authentication mechanism, that of being unique to each person. That is, not even the people closest to us will be able to recognize the same faces that we can.

But there are downsides
Technical challenges are unlikely to limit such a system. As noted, systems such as Passface have been available for many years. But there are other issues that need solutions before such a system becomes a practical alternative to passwords.

The main issue is that setting up such a system will likely be very labor intensive. How would images be selected for the system? Images of well-known figures would be unsuitable; they would have to be people who are not widely known.

Additionally, images of the same person would need to be sufficiently different that identifying the person is a challenge for anyone unfamiliar with the faces. How could we determine if they are different enough?

It is hard to see how such a system could be set up with anything like the ease that a password is created.

There are other issues as well. Would the system be susceptible to a brute force attack where every combination is tried until the correct one is found?

Some systems force regular password changes on users — should images be changed frequently as well? How would the images be secured? Password files make use of many security features to secure them — what would be necessary for image files? Could face recognition software be used to defeat such a system?

So has something better than passwords finally arrived? The idea certainly sounds interesting and the technical challenges in implementing such a system do not seem great. But there are difficult questions regarding cost, selection and security of images that need to be answered before it becomes a practical alternative to passwords.

Philip Branch is Senior Lecturer in Telecommunications at Swinburne University of Technology. This story published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).