Product Reviews

Face in the Crowd

Passfaces authenticates users by having them recognize faces instead of remembering passwords.

• By Rick A. Butler
• 09/01/2004

If a password is too complex to remember, a user will invariably write it down. Users often lose passwords as well, which prevents them from logging on until IT intervenes.

Passfaces, from Maryland-based RealUser, takes a decidedly different approach to authentication. Coming in two flavors, one for Active Directory and one for Web servers, Passfaces uses facial recognition to verify a user's authenticity. The concept is based on cognitive authentication, or verifying something you know. How is this different from entering a password? While it derives from the same family of authenticators, Passfaces leverages the mind's inherent ability to recognize faces, which is easier than remembering a random string of numbers.

Here's how it works: The program introduces the user to a grid of nine faces, from which he picks one to remember. He is then presented with another grid of nine faces and so on, depending on the number of faces the user is required to recall to complete authentication. By selecting faces as opposed to remembering passwords, users are far less prone to losing or forgetting their logon credentials, even if they're rarely used. The mind has an uncanny ability to remember faces. How often have you said, "I know that face, I just forget the name."

For IT administrators, installing and configuring the software is relatively painless. Install it on your domain controllers and the clients that need to log in. There was one slight snag during set up. Users need to be able to edit their own account container in AD, so you're going to have to bestow write access on SELF in the ACL. (There's a tool in the bundle to do this automatically).

Once installed, the software runs very cleanly. Passfaces acts as a supplemental authentication system, storing its hash in the User Comment field. Should you want to use a different attribute in AD to store this hash, you'll need to get a customized version of Passfaces. I particularly like the software licensing arrangement. You purchase by the user, not by client installed.

When logging on, users see a grid of nine faces, instead of an austere, asterisk-filled password box.

Passfaces is easy to use, so much so that I went through the Passfaces training procedure with my five-year-old daughter, selecting and training her to find the five faces which would let her logon to a system. She completed the process with no effort at all. The product relies on the human brain's ability for pattern recognition, as opposed to remembering a sequential string of characters.

Passfaces doesn't completely replace the need for a password, as users are still required to provide a password in order to reach the initial Passfaces logon exchanges. Since there is an additional level of authentication though, you may not need complex passwords.

The biggest downer with Passfaces is that if you have a password complexity policy in place, you have to configure and use Passfaces to comply with that policy. Networks like governmental systems require a complex password policy to pass the accreditation procedure for Information Assurance. Passfaces only uses 4-bits per face, meaning it would take 16 faces to meet the equivalent of the eight-character password.

Passfaces replaces the aggravation of remembering complex alphanumeric passwords with a more intuitive approach—a bonus on lower security networks that need a bit more clamping down. If you have a complex password environment already, you're going to have to relax your security policies (if you can) to implement Passfaces, otherwise the tool could potentially become a burden on your domain.