Passfaces

Realuser.com are positioning their Passfaces login solution as an alternative to passwords and as a “means to deter phishing attacks”.

I kinda like the solution, but I’m still having serious doubts regarding the strength of the authentication part. I have tried to get more information about the level of security through one of their german resellers, but haven’t received anything useful as of now. The white papers are not specific on this, either.

The white papers talk a lot about the psychology of recognizing the faces, and how your passfaces can’t be stolen easily, but that’s not what I’m worried about.

There is only a small section in the white papers talking about a brute force attack:

“However, it has been found by experiment that having overlarge grids or more than one passface per grid can be difficult or even confusing for the user. (Also note that the effective entropy of each passface is reduced if there is more than one per grid – this becomes very significant unless M is much smaller than P x Q. For example: the number of permutations of 3 passfaces picked from 3 separate 3 by 3 grids is 729; whereas 3 passfaces picked from the same 3 by 3 grid provides only 84 possibilities!) The 3 x 3 grid has the obvious advantage that it maps directly to a numerical keypad – allowing the Passface system to be used on devices such as ATMs and Web TVs where this may be the only means of user input. Using five passfaces picked from five 3×3 grids provides 9^5 combinations (i.e. a 1 in 59,049 chance that someone could guess them at random) which is sufficient for most consumer and business applications – provided, of course, that the system is not open to exhaustive search by an attacker. For comparison, consider the four-digit user-selected PIN used globally on ATM networks: the chances of someone guessing a PIN are less than 1 in 10,000 (users traditionally select from a much smaller set of numbers that are memorable such as dates and telephone numbers) yet because an attacker only has only three tries before the system locks him out, this has proved quite adequate as a means of authenticating the card owner. Again, if the application or the security administrator demands higher security, then more than five passfaces can be used; there is no known limit to the number of faces that a person can remember.”

I guess most implementations will stick to 3×3, and anything more will probably just increase the burden on your support staff.

That leads me to the next issue: enrollment. In a large company, you will have to put in place procedures to enroll new users and “reset” passfaces. This may prove to be quite a big task with a large number of users, compared to sending out sealed envelopes with passwords. You will also need procedures to correctly identify users for password resets.

Apart from brute force, there’s another possible attack that I’ve been thinking of. You may know somebody’s user name, so just try a login and capture the screen where the first set of faces is being shown. Don’t klick on any faces in order not to increase the failure count.

I was thinking of looking for faces appearing more often than others, but it may be even easier. The white paper says:

“Further, none of the faces has a tendency to stand out from the others. Only when a Passface is shown subsequently at login, will it then seem (to the user who is familiar with it) to stand out from the other eight “decoy” faces in the grid.
[…]
Note that, at login, a passface is always seen in a grid with the same eight decoy faces. Clearly, if the decoys varied between login sessions, then it would make it easy for an attacker to identify the passface as the constant. This may at first sight seem to present a problem since the user might be expected to eventually become familiar with the decoy faces and start confusing them with her passfaces. However, our experience and trials have shown that, although the users do indeed gain a certain level of familiarity with the decoys, their speed and accuracy at recognizing their passfaces actually increases. It seems that each login reinforces the user’s familiarity with their passfaces more than with their decoy faces.*

Now wait a minute – does this mean that I just need to record a set of login screens in order to identify the (constant) decoy faces and click on the one that’s different??? That would be too easy, wouldn’t it?

I would appreciate if somebody could shed a light on this, as I really like the idea. And a company with Taher Elgamal on the advisory board can’t be all clueless in terms of security, can they?