CybersecurityIs Facelock the password alternative we’ve been waiting for?

By Philip Branch

Published 26 June 2014

One of the problems with using passwords to prove identity is that passwords that are easy to remember are also easy for an attacker to guess, and vice versa. Nevertheless, passwords are cheap to implement and well understood, so despite the mounting evidence that they are often not very secure, until something better comes along they are likely to remain the main mechanism for proving identity. But maybe something better has come along. Researchers propose a new system based on the psychology of face recognition called Facelock. But how does it stack up against existing authentication systems? The idea certainly sounds interesting and the technical challenges in implementing such a system do not seem great. But there are difficult questions regarding cost, selection and security of images that need to be answered before it becomes a practical alternative to passwords.

Philip Branch, Swinburne University of Technology // Source: swinburne.edu.au

One of the problems with using passwords to prove identity is that passwords that are easy to remember are also easy for an attacker to guess, and vice versa.

Nevertheless, passwords are cheap to implement and well understood, so despite the mounting evidence that they are often not very secure, until something better comes along they are likely to remain the main mechanism for proving identity.

But maybe something better has come along. In research published the other day in PeerJ, Rob Jenkins from University of York and colleagues propose a new system based on the psychology of face recognition called Facelock. But how does it stack up against existing authentication systems?

Exploiting the power of recognition
Our brains may not be wired to remember long strings of arbitrary characters, but they are wired to remember and recognize faces.

Our ability to recognize people we know — even when we haven’t seen them for a long time, even in a grainy photo with them looking the other way, even in sunglasses with a hat pulled low over their face — is quite extraordinary. Facelock tries to integrate this ability into an identity authentication system.

If we know someone well we can usually recognize them easily from an image, regardless of how poor the image is. However, this ability does not extend to unfamiliar faces. If we don’t know the person, we find identifying two different images of the same person very difficult.

This is the basis of the proposed authentication system. Someone seeking to authenticate their identity (the “subject”) is presented with a succession of pages, each containing nine faces of which one is a person well known to the subject. To prove identity, the face of the familiar person in each grid is clicked.

It is worth pointing out that systems such as Passfaces already do something similar. In Passfaces, during the set up phase, the user selects a number of faces that are presented to them. When logging in, the faces previously selected must be chosen.

Facelock differs in that it allows the subject to choose familiar faces that others are unlikely to recognize. The subjects in this study were told to choose “Z-list celebrities” via Google Image Search, such as obscure musicians, sportspersons or otherwise little-known people but who are of interest to them.