First published: 31st July 2007
Passwords are recognised as the easy and cheap-to-implement method of authentication, but their disadvantages are low security and the continual running costs of users forgetting them. Many alternatives have been proposed, and one that has gained recent attention is "Passfaces", designed and sold by Passfaces Corporation. How does it really compare to passwords?
In the Passfaces system, users are required to remember a series of faces, and select them from a grid of other faces when they log in. In the demonstration on the Passfaces website, guests are asked to remember one face from each of three grids of nine faces. This is an easy task, and the demonstration works acceptably. However, this only provides 93 = 729 combinations, or about 9.5 bits of entropy. Assuming English provides 1.3 bits of entropy per character, this is equivalent to an eight-letter English password, which, as it would be vulnerable to a dictionary attack, would be considered very weak.
Of course, the strength could be increased by using a longer sequence of faces, but would that still be easy to use? What if every website you logged in to required remembering a long sequence of faces?
The Passfaces website also claims, "When used with a simple password, Passfaces provides a second factor in a two factor authentication process". This is simply wrong: passfaces and passwords are both something you know, and therefore constitute a single factor of authentication.
One scientific usability study of Passfaces at UCL had mixed results, the number of failed logins was drastically reduced by Passfaces, but the number of reminder requests (directly affecting helpdesk calls and costs) was not. The study also noted that Passfaces took significantly longer on low-powered hardware.
So, if you want a something you know authentication method that requires higher processing power than passwords, and might be easier for users, but which is not stronger than passwords, Passfaces might be what you are looking for.