Wednesday, July 30, 2014         

 Print   Email   Comment | View 5 Comments   Most Popular   Save   Post   Retweet

Scientists come up with pass codes you can't forget

By Deborah Netburn

Los Angeles Times

LAST UPDATED: 05:33 p.m. HST, Jun 25, 2014

Imagine a whole new type of password — one that lets you dispense with all those numbers, letters and symbols, but is still impenetrable to attackers.

Researchers at Britain's University of York and the University of Glasgow have created a new password system that could one day allow users to access their bank accounts, their phones or their favorite websites simply by picking out a familiar face from a grid of nine faces, four times in a row.

They call the system Facelock, and according to a new study published in the journal Peer J, it is teeming with benefits. Most impressively, users were able to log into a test system using Facelock after not using it for an entire year.

Facelock is not the first password system to experiment with graphical elements. A system called Passfaces requires a user to pick out a photo of someone they know from a grid of faces. But Facelock has an important difference. The images in the Facelock system are always changing — even the image of the familiar face.

The research team explains that people do not recognize all faces equally. We have no trouble identifying a familiar face across a series of different images that range in quality. On the other hand, when a face is not familiar to us, we are likely to think that different images of the same person are actually images of different people.

This well-studied psychological phenomenon can be frustrating to police when they ask a witness to identify a person caught in a fuzzy security camera tape, but in the case of Facelock, the researchers were able to exploit it for the good of frustrated password users. They proposed that even a nefarious "shoulder surfer," who was spying over a user's shoulder when that user selected a familiar face, would have trouble picking out the same person in a different image.

To test this hypothesis, they asked 120 volunteers to come up with between four and 10 different people whose faces would be familiar to them, but not to most people. Specifically, the researchers asked participants to come up with a "Z-list celebrity" — someone for whom there would definitely be pictures on Google Images, but who was only known to a narrow group of people. Perhaps a famous skier, or a well-regarded cello player.

After the Z-list celebrity had been selected, the volunteers were asked to log into a website using the Facelock system. The idea was that one face in each of four grids would be familiar to the volunteer, but none of the faces would be familiar to an attacker. One week after having selected their familiar faces, 97.5 percent of participants had no problem logging on. One year later, 86.1 percent of participants were still able to choose their Z-list celebrity's face, no problem.

"I didn't think I could log in because I couldn't remember any of the people I chose — but I did!" wrote one participant who is quoted in the study.

Another said: "I got them all right. Did you use the same images of the people or different ones? I got the impression I did not recognize the image but the person."

The researchers also looked at how vulnerable the Facelock system is to attack by strangers, as well as people who are close to the users, such as a spouse or other family member, and those "shoulder surfers" mentioned above.

Facelock was found to be essentially impermeable to people who don't know the users. Even people who were very close to the users were only able to get through all four grids successfully 6.6 percent of the time.

"Taken together the success rates of account holders (97.5 percent), random zero-acquaintance attackers (less than 1 percent), and nominated high-acquaintance attackers (6.6 percent) strike us as a promising starting point," the researchers write in the paper.

To test how permeable the system was to shoulder surfers, the researchers gathered 32 undergraduate students in a room and used a projector to show them an authentication code. (A green box highlighted the familiar faces chosen by one of the original volunteers in the grid.)

Then, the students were asked to pick out those same faces from another grid that had different images of the same person. Even in these beyond-ideal shoulder-lurking circumstances, the graduate students were successful only 1.9 percent of the time.

It may sound good, but you shouldn't expect to see Facelock coming on the market anytime soon. The researchers say the aim of their work is not to create a new password system, but rather to "raise awareness of the important psychological contrast between familiar and unfamiliar face processing, and to explore the potential for exploiting this contrast in the context of authentication," they write.

Still, those of us who loathe the direction pass codes have gone — more numbers, more symbols, longer — can dream of a day when all it requires to check your banking statements is to pick out an image of your favorite Z-list celebrity.

 Print   Email   Comment | View 5 Comments   Most Popular   Save   Post   Retweet

You must be subscribed to participate in discussions
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may receive a warning, and if you persist with such comments you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.
Leave a comment

Please login to leave a comment.
steveoctober wrote:
Interesting, but wont work in the US as this discriminates against the visually impaired. Lawsuits waiting to happen.
on June 25,2014 | 05:35PM
localguy wrote:
Pure shibai. It will work just fine in the USA. This would just be one of many ways for a secure log in for the visually impaired. Just as we have now. You must have attended the Nei's failing educational system.
on June 25,2014 | 07:44PM
Nultech wrote:
This sounds like my bathroom mirror on any given Saturday morning...
on June 25,2014 | 08:09PM
false wrote:
i still think the fingerprint mo bettah
on June 26,2014 | 01:09AM
KaneoheSJ wrote:
Great article on security. What is disturbing is that our banks still use an archaic method in regards to our bank card's security. The consumers in Europe have been using a new and more technologically advanced card but the USA, "The Greatest Nation on the Planet", still uses an outdated mode. The simple reason is that the banks do not think that our personal sense of security when it comes to our bank cards is not as important as their bottom line. It will only take an act of Congress to change this. Sad, but that is the state of affairs when it comes to our personal banking here in the United States where theft is rampant.
on June 26,2014 | 11:03AM
Breaking News