Scientists Come Up With Pass Codes You Can’t Forget
By Deborah Netburn, Los Angeles Times
Imagine a whole new type of password — one that lets you dispense with all those numbers, letters and symbols, but is still impenetrable to attackers.
Researchers at Britain’s University of York and the University of Glasgow have created a new password system that could one day allow users to access their bank accounts, their phones or their favorite websites simply by picking out a familiar face from a grid of nine faces, four times in a row.
They call the system Facelock, and according to a new study published in the journal Peer J, it is teeming with benefits. Most impressively, users were able to log into a test system using Facelock after not using it for an entire year.
Facelock is not the first password system to experiment with graphical elements. A system called Passfaces requires a user to pick out a photo of someone they know from a grid of faces. But Facelock has an important difference. The images in the Facelock system are always changing — even the image of the familiar face.
The research team explains that people do not recognize all faces equally. We have no trouble identifying a familiar face across a series of different images that range in quality. On the other hand, when a face is not familiar to us, we are likely to think that different images of the same person are actually images of different people.
This well-studied psychological phenomenon can be frustrating to police when they ask a witness to identify a person caught in a fuzzy security camera tape, but in the case of Facelock, the researchers were able to exploit it for the good of frustrated password users. They proposed that even a nefarious “shoulder surfer,” who was spying over a user’s shoulder when that user selected a familiar face, would have trouble picking out the same person in a different image.
To test this hypothesis, they asked 120 volunteers to come up with between four and 10 different people whose faces would be familiar to them, but not to most people. Specifically, the researchers asked participants to come up with a “Z-list celebrity” — someone for whom there would definitely be pictures on Google Images, but who was only known to a narrow group of people. Perhaps a famous skier, or a well-regarded cello player.
After the Z-list celebrity had been selected, the volunteers were asked to log into a website using the Facelock system. The idea was that one face in each of four grids would be familiar to the volunteer, but none of the faces would be familiar to an attacker. One week after having selected their familiar faces, 97.5 percent of participants had no problem logging on. One year later, 86.1 percent of participants were still able to choose their Z-list celebrity’s face, no problem.
“I didn’t think I could log in because I couldn’t remember any of the people I chose — but I did!” wrote one participant who is quoted in the study.
Another said: “I got them all right. Did you use the same images of the people or different ones? I got the impression I did not recognize the image but the person.”
The researchers also looked at how vulnerable the Facelock system is to attack by strangers, as well as people who are close to the users, such as a spouse or other family member, and those “shoulder surfers” mentioned above.
Facelock was found to be essentially impermeable to people who don’t know the users. Even people who were very close to the users were only able to get through all four grids successfully 6.6 percent of the time.
“Taken together the success rates of account holders (97.5 percent), random zero-acquaintance attackers (<1 percent), and nominated high-acquaintance attackers (6.6 percent) strike us as a promising starting point,” the researchers write in the paper.
To test how permeable the system was to shoulder surfers, the researchers gathered 32 undergraduate students in a room and used a projector to show them an authentication code. (A green box highlighted the familiar faces chosen by one of the original volunteers in the grid.)
Then, the students were asked to pick out those same faces from another grid that had different images of the same person. Even in these beyond-ideal shoulder-lurking circumstances, the graduate students were successful only 1.9 percent of the time.
It may sound good, but you shouldn’t expect to see Facelock coming on the market anytime soon. The researchers say the aim of their work is not to create a new password system, but rather to “raise awareness of the important psychological contrast between familiar and unfamiliar face processing, and to explore the potential for exploiting this contrast in the context of authentication,” they write.
Still, those of us who loathe the direction pass codes have gone — more numbers, more symbols, longer — can dream of a day when all it requires to check your banking statements is to pick out an image of your favorite Z-list celebrity.
Ron Bennetts via Flickr