Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Pass Phrases, Passwords, and PassFaces

Wednesday, September 15, 2004 Comments

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

Jesper Johansson has started a new article series on The Great Debates: Pass Phrases vs. Passwords Part 1 of 3, continuing the debate on which method of secure authentication to use.

For a different spin, I recently heard about PassFaces. Last week, I attended the New England Information Security Group meeting in Waltham, MA at the Microsoft offices and heard someone from Real User talk about this interesting way of authenticating users. Below is a snippet of information from their site:

How The Passfaceâ„¢ System Works

Users start by getting to know a group of (typically 3 to 7) faces – their passfaces – which are assigned by the system at random from a large library of anonymous faces. This simple and intuitive initial familiarization process takes around 3 to 5 minutes for 5 passfaces.
To authenticate a user, the system displays a 3 by 3 grid of faces containing one passface and 8 decoy faces positioned randomly within the grid.
The user responds by indicating the position of their passface in the grid. This challenge/ response is repeated with each of the user's remaining passfaces – each time presented in a grid with 8 more decoy faces.
The user is authenticated once all their passfaces have been recognized successfully.

I know several of us who attended were intrigued by this new method, but I also thought about the various ways this system may be overcome and compromised. Either way, its good to have some options.

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook