Insecure passwords? A solution could be staring us in the face, say psychologists.

The human ability to recognize familiar faces among strangers provides an opportunity for more secure accounts, say researchers at two UK universities.

This is an example of how Facelock could be implemented in practice.

Rob Jenkins

June 25, 2014

Imagine never having to memorize another password, but still have your information be secure.

The key may be as plain as the nose on your face.

Researchers in the United Kingdom have found a way to leverage humans' uncanny ability to recognize familiar faces. Their prototype system, dubbed Facelock, grants access to users after they identify a familiar face among a selection of strangers.

Howard University hoped to make history. Now it’s ready for a different role.

This study published in the scientific journal PeerJ reinforces previous research on the human aptitude for facial recognition in unfamiliar circumstances or in poor quality images.

As social animals, humans have a knack for faces. Even hour-old newborns, who have yet to develop the ability to process basic shapes, have shown a tendency to stare at faces longer than they do at other objects.

Facelock caters to this strength. The system, built by psychologist Rob Jenkins of the University of York and his coauthors of the University of Glasgow, presents nine faces, one of which belongs to someone the user knows well. The photo itself isn't necessarily familiar, but that doesn't seem to matter so long as the face is.

"There's a very big difference between how we deal with familiar faces and how we deal with unfamiliar faces that we've never seen before," says Dr. Jenkins. As a result, proper users "don't have to retain anything in memory to be able to authenticate."

How do they know it works?

To test this concept, the researchers recruited 120 volunteers. First, the volunteers selected a pool of familiar faces. In order to do this, they entered the names of four to ten "targets." These targets were people the users were quite familiar with but whom they thought would be unknown to others.

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

This list included family members and friends as well as "Z-list" celebrities, as researchers called them. These were people who were famous in a narrow category but who the study participant could recognize easily. After the pool was created, the account holders had to approve four images of each of their targets.

One week later, the account holders returned to log in. The lock was made up of four grids of images. Each grid had eight strangers and one target. If the user selected all four targets correctly, access was granted. If not, the images were reset. The account holders had three attempts before the test was over. The users successfully logged in 97.5 percent of the time.

To separate memory from the equation, the researchers tested their subjects again one year later. Even though the users never wrote down their targets' names or used Facelock over that year, the account holders logged in 86.1 percent of the time.

The researchers took this to represent the strength of our ability to recognize familiar faces, especially because users were presented with different photos of the same targets.

Can it be hacked?

The researchers recruited 114 volunteer ‘hackers,' none of whom had ever met the account holders, to attempt to break into users' accounts. Just as the proper users did, these volunteers tried to login by selecting target faces from four grids. They too had three chances to get it right.

Only one hacker – 0.9 percent – successfully broke in. And the account that was breached did not have the most secure lock. That account holder had selected, as two of the four target faces, members of the rock band Led Zeppelin, men who aren't exactly Z-list stars.

But what if the attacker was a sneaky friend or family member of the account holder? Each of the original volunteers referred close acquaintances to the researchers to act as personal attackers. Some were even the account holders' spouses.

While these personal attackers had more success than the strangers, they still only broke in 6.6 percent of the time. As with the successful non-acquaintance attack, many of the celebrity targets were too well known.

What about the types of hackers who stand behind you at the ATM? Could they access your accounts just by watching you log in through Facelock?

According to the researchers, they can't. In a second study designed to test just that, the only successful attacks occurred when the targets had distinct facial features that could be identified from one photo to another.

But is this any better than a password?

"If you're a programmer and you're trying to access other people's accounts, actually passwords and PIN numbers are the bees knees," says Jenkins. "Computers love that. They love churning through the different combinations and checking every possibility."

But with Facelock, Jenkins says a computer could not perform as well as a human. He explains that although computerized facial recognition systems are advancing, they have difficulty with varying settings, light, context, angles or other changes.

"The only system that can reliably recognize naturally varying images of faces is a human that is familiar with that face," says Jenkins.

"But I am a psychologist, not a computer scientist. There are plenty of people who know more about this than I do," Jenkins admits. "I also believe that there is no perfect security system."

The point of this research was to propose an alternative to PINs and passwords. "We're not saying this is a perfect system and [that] we dare anyone to try and break it," says Jenkins. "There are all sorts of locks and security mechanisms that are useful, even though they're not perfect. For most purposes, good security is better than no security."

Jenkins and his colleagues do not plan to commercialize Facelock. "We think this is a cool and novel idea. We've tested it to see if it's workable in principle." Jenkins says he can now confidently say, "Yes it is."