A password alternative that uses a sequence of memorable faces as a key may have cracked the traditional trade-off between memorability and security.
Dubbed 'Facelock', the new system is based on the psychology of face recognition and the inventors claim it could simultaneously put an end to forgotten passwords, while effectively protecting users from prying eyes.
The concept relies on the fact that humans can recognize familiar faces across a wide range of images, even when the image quality is poor, while recognition of unfamiliar faces is tied to a specific image – so much so that different photos of the same unfamiliar face are often thought to be different people.
To register with the Facelock system, users nominate a set of faces that are well known to them, but are not well known to other people, which are used to create a personalized password.
The 'lock' consists of a series of face grids and each grid is constructed so that one face is familiar to the user, whilst all other faces are unfamiliar. Authentication is a matter of simply touching the familiar face in each grid.
"Pretending to know a face that you don't know is like pretending to know a language that you don't know – it just doesn't work. The only system that can reliably recognise faces is a human who is familiar with the faces concerned," said Dr Rob Jenkins of the University of York, lead author of a study in the open-access journal PeerJ.
The researchers found that it was surprisingly easy to generate faces that are recognisable to only the user, such as a favourite jazz trombonist or a revered poker player, as one person's idol is another person's stranger.
By combining faces from across a user's domains of familiarity the researchers were able to create a set of faces that were known to that user only.
Building authentication around familiarity has several advantages according to the authors, as unlike password or PIN-based systems, a familiarity-based approach never requires users to commit anything to memory, nor does it require them to name the faces in order to authenticate.
The authors say psychological research has shown that familiarity with a face is virtually impossible to lose and so this system is naturally robust. In the current study, users authenticated easily even after a one-year interval.
In the current study, the researchers asked volunteer attackers to watch a successful authentication sequence based on four target faces, so that they could pick out the same four faces from similar test grids, but the attacks were easily defeated simply by using different photos of the same faces in the test grids.
The researchers are now hoping for software developers to take the framework and turn it into a polished app, and optimise the usability of the system.