Insecure passwords? A solution could be staring us in the face, say psychologists.

The human ability to recognize familiar faces among strangers provides an opportunity for more secure accounts, say researchers at two UK universities.

|
Rob Jenkins
This is an example of how Facelock could be implemented in practice.

Imagine never having to memorize another password, but still have your information be secure.

The key may be as plain as the nose on your face.

Researchers in the United Kingdom have found a way to leverage humans' uncanny ability to recognize familiar faces. Their prototype system, dubbed Facelock, grants access to users after they identify a familiar face among a selection of strangers.

This study published in the scientific journal PeerJ reinforces previous research on the human aptitude for facial recognition in unfamiliar circumstances or in poor quality images.

As social animals, humans have a knack for faces. Even hour-old newborns, who have yet to develop the ability to process basic shapes, have shown a tendency to stare at faces longer than they do at other objects.

Facelock caters to this strength. The system, built by psychologist Rob Jenkins of the University of York and his coauthors of the University of Glasgow, presents nine faces, one of which belongs to someone the user knows well. The photo itself isn't necessarily familiar, but that doesn't seem to matter so long as the face is.

"There's a very big difference between how we deal with familiar faces and how we deal with unfamiliar faces that we've never seen before," says Dr. Jenkins. As a result, proper users "don't have to retain anything in memory to be able to authenticate."

How do they know it works?

To test this concept, the researchers recruited 120 volunteers. First, the volunteers selected a pool of familiar faces. In order to do this, they entered the names of four to ten "targets." These targets were people the users were quite familiar with but whom they thought would be unknown to others.

This list included family members and friends as well as "Z-list" celebrities, as researchers called them. These were people who were famous in a narrow category but who the study participant could recognize easily. After the pool was created, the account holders had to approve four images of each of their targets.

One week later, the account holders returned to log in. The lock was made up of four grids of images. Each grid had eight strangers and one target. If the user selected all four targets correctly, access was granted. If not, the images were reset. The account holders had three attempts before the test was over. The users successfully logged in 97.5 percent of the time.

To separate memory from the equation, the researchers tested their subjects again one year later. Even though the users never wrote down their targets' names or used Facelock over that year, the account holders logged in 86.1 percent of the time.

The researchers took this to represent the strength of our ability to recognize familiar faces, especially because users were presented with different photos of the same targets.

Can it be hacked?

The researchers recruited 114 volunteer ‘hackers,' none of whom had ever met the account holders, to attempt to break into users' accounts. Just as the proper users did, these volunteers tried to login by selecting target faces from four grids. They too had three chances to get it right.

Only one hacker – 0.9 percent – successfully broke in. And the account that was breached did not have the most secure lock. That account holder had selected, as two of the four target faces, members of the rock band Led Zeppelin, men who aren't exactly Z-list stars.

But what if the attacker was a sneaky friend or family member of the account holder? Each of the original volunteers referred close acquaintances to the researchers to act as personal attackers. Some were even the account holders' spouses.

While these personal attackers had more success than the strangers, they still only broke in 6.6 percent of the time. As with the successful non-acquaintance attack, many of the celebrity targets were too well known.

What about the types of hackers who stand behind you at the ATM? Could they access your accounts just by watching you log in through Facelock?

According to the researchers, they can't. In a second study designed to test just that, the only successful attacks occurred when the targets had distinct facial features that could be identified from one photo to another.

But is this any better than a password?

"If you're a programmer and you're trying to access other people's accounts, actually passwords and PIN numbers are the bees knees," says Jenkins. "Computers love that. They love churning through the different combinations and checking every possibility."

But with Facelock, Jenkins says a computer could not perform as well as a human. He explains that although computerized facial recognition systems are advancing, they have difficulty with varying settings, light, context, angles or other changes.

"The only system that can reliably recognize naturally varying images of faces is a human that is familiar with that face," says Jenkins.

"But I am a psychologist, not a computer scientist. There are plenty of people who know more about this than I do," Jenkins admits. "I also believe that there is no perfect security system."

The point of this research was to propose an alternative to PINs and passwords. "We're not saying this is a perfect system and [that] we dare anyone to try and break it," says Jenkins. "There are all sorts of locks and security mechanisms that are useful, even though they're not perfect. For most purposes, good security is better than no security."

Jenkins and his colleagues do not plan to commercialize Facelock. "We think this is a cool and novel idea. We've tested it to see if it's workable in principle." Jenkins says he can now confidently say, "Yes it is."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Insecure passwords? A solution could be staring us in the face, say psychologists.
Read this article in
https://www.csmonitor.com/Technology/2014/0625/Insecure-passwords-A-solution-could-be-staring-us-in-the-face-say-psychologists
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe