The new face of biometric access control

Getting computers to recognize human faces is a multibillion-dollar business. One small company, though, is approaching the authentication problem from another direction by using computers to take advantage of the human brain’s facial-recognition ability.

Facial recognition is hardwired into the brain from infancy, said Paul Barrett, chief executive officer of Passfaces. The human brain can recognize familiar faces in 20 one-thousandths of a second without conscious effort, he said.

Passfaces’ software works on any computer with a graphical user interface, Barrett said. It creates a “passface” using a sequence of three to seven faces. Users see the images of the faces mixed in with eight decoy faces in a three-by-three grid. They must click on the faces in the correct order to gain access.

With passfaces, people don’t have to worry about remembering passwords or carrying tokens, Barrett said.

People are wary of the company’s approach, called cognometrics, because it’s so novel, said Jonathan Penn, a principal analyst at Forrester Research. But passfaces offer a superior alternative to passwords for single-factor authentication and don’t require physical tokens, which people can lose, he said.

The incidence of people forgetting their passfaces is extraordinarily low, Penn said. After he signed up, he didn’t return to the company’s Web site for a month, yet he got all the faces right the first time, he said.

The faces are assigned at random so algorithms can’t figure them out other than by brute-force attacks, Barrett said. Phishers would have to have a copy of all Passfaces’ example faces to fool users, he said.

For example, a user given five faces to remember has 95 possible combinations, or a 1 in 59,049 chance that someone else could randomly pick the same faces, Barrett said. That provides much more security than a four-digit PIN, which has only 10,000 possible combinations, he said.

The technology is immune to spyware, phishing and social engineering because remembering faces can’t be shared the way words or numbers can, Penn said. “This is something I couldn’t give away if I wanted to,” he added.

Passfaces’ software-only product suits situations in which people want to improve authentication without adding hardware, Penn said. “They don’t want something as cumbersome or as expensive as a token or smart card,” he said. It would also help business-to-business Web sites that deal with financial or other sensitive data.

The technology does have downsides, Penn said. It is less secure than a physical token and is susceptible to hackers who can look over the user’s shoulder to see the faces the user picks. People worried about such “shoulder surfing” should use physical tokens that provide one-time passwords instead, he said.

Cognometrics could disrupt current ID technology, replacing the majority of passwords and PINs used in nearly all online transactions, Barrett said.

Passfaces hopes to form partnerships with RSA Security, VeriSign, IBM and other companies to have them deploy its product as part of broader authentication solutions, Barrett said.