Pick a familiar face: System could someday replace passwords
Facelock is not the first password system to experiment with graphical elements, but it has an important difference: All of the images are continually changing. Volunteer users had little trouble logging in, and Facelock was found to be essentially impermeable to people who don’t know the user
Los Angeles Times
Imagine a whole new type of password, one that lets you dispense with all those numbers, letters and symbols, but is impenetrable to attackers.
Researchers at Britain’s University of York and the University of Glasgow have created a new password system that could one day allow users to access their bank accounts, phones or favorite websites simply by picking a familiar face from a grid of nine faces, four times in a row.
They call the system Facelock, and according to a new study published in the journal PeerJ, it is teeming with benefits. Most impressively, users were able to log into a test system using Facelock after not using it for a year.
Facelock, which won’t be on the market anytime soon, is not the first password system to experiment with graphical elements. A system called Passfaces requires a user to pick a photo of someone he or she knows from a grid of faces. But Facelock has an important difference. The images in the Facelock system are always changing, even the image of the familiar face.
The research team explains that people do not recognize all faces equally. We have no trouble identifying a familiar face across a series of different images that range in quality. On the other hand, when a face is not familiar to us, we are likely to think that different images of the same person are images of different people.
This well-studied psychological phenomenon can be frustrating to police when they ask a witness to identify a person caught on a fuzzy security-camera tape. In the case of Facelock, researchers were able to exploit it for the good of frustrated password users. They proposed that even a nefarious “shoulder surfer,” who was spying over a user’s shoulder when that user selected a familiar face, would have trouble picking the same person in a different image.
To test this hypothesis, researchers asked 120 volunteers to come up with between four and 10 different people whose faces would be familiar to them, but not to most people. Specifically, the researchers asked participants to come up with a “Z-list celebrity,” someone for whom there would be pictures on Google Images, but who was only known to a narrow group of people. Perhaps a famous skier or a well-regarded cello player.
After the Z-list celebrity had been selected, volunteers were asked to log into a website using the Facelock system. The idea was that one face in each of four grids would be familiar to the volunteer, but none of the faces would be familiar to an attacker. One week after having selected their familiar faces, 97.5 percent of participants had no problem logging on. One year later, 86.1 percent of participants were still able to choose their Z-list celebrity’s face, no problem.
“I didn’t think I could log in because I couldn’t remember any of the people I chose — but I did!” wrote one participant who is quoted in the study.
Another said: “I got them all right. Did you use the same images of the people or different ones? I got the impression I did not recognize the image but the person.”
Researchers also looked at how vulnerable the Facelock system is to attack by strangers; people who are close to the users, such as a spouse or other relative; and those “shoulder surfers” previously mentioned.
Facelock was found to be essentially impermeable to people who don’t know the users. Even people who were very close to the users were only able to get through all four grids successfully 6.6 percent of the time.
“Taken together, the success rates of account holders (97.5 percent), random zero-acquaintance attackers (less than 1 percent), and nominated high-acquaintance attackers (6.6 percent) strike us as a promising starting point,” the researchers write in the paper.
To test how permeable the system was to shoulder surfers, the researchers gathered 32 undergraduate students in a room and used a projector to show them an authentication code. (A green box highlighted the familiar faces chosen by one of the original volunteers in the grid.)
Then, the students were asked to pick out those same faces from another grid that had different images of the same person. Even in these beyond-ideal shoulder-lurking circumstances, the students were successful only 1.9 percent of the time.
The researchers write that the aim of their work was to “raise awareness of the important psychological contrast between familiar and unfamiliar face processing, and to explore the potential for exploiting this contrast in the context of authentication.”
Meanwhile, those of us who loathe the direction passwords have gone — more numbers, more symbols, longer — can dream of a day when all it requires to check a banking statement is to pick an image of your favorite Z-list celebrity.