Face-recognition could be the key to a new password system

A new image-based authentication system developed at York could spell the end of letter or number-based passwords.

‘Facelock’, developed by psychologist Dr Rob Jenkins, exploits our ability to recognise faces across a wide range of images, even when the image quality is poor.

To register with the system, users nominate a set of faces that are well known to them, but not well known to other people. Users log in by selecting the faces they recognise from a grid. Psychological research has shown that familiarity with a face is virtually impossible to lose while passwords can be forgotten in days.

Fraudsters can't fake it

Another advantage is that familiarity is hard to fake, making the system difficult for fraudsters to crack.

Dr Jenkins explained: “Pretending to know a face that you don’t know is like pretending to know a language that you don’t know – it doesn’t work. The only system that can reliably recognise faces is a human who is familiar with the faces concerned.”

Studies showed a 97.5 per cent success rate for the system – and even 12 months later, 86 per cent of those taking part in the study were still able to recall the faces successfully.

Fraud protection

“To protect against fraud, security codes need to be difficult to guess – but this also makes them hard to remember. We are often faced with a choice between forgetting a code, which can be frustrating and inconvenient, or writing it down, which compromises security,” said Dr Jenkins.

The researchers, who included Jane McLachlan and Karen Renaud of the School of Computing Science at the University of Glasgow, asked volunteers to name minor celebrities or sports stars to create their personal ‘lock’.

They then asked volunteer ‘attackers’ to watch a successful login based on four target faces. The studies demonstrated that attacks could be thwarted by using different photos of the same faces. For the user, who is familiar with the target faces, it is easy to recognise the faces across a range of images. For the attacker, who is unfamiliar with the target faces, selecting the correct images is difficult.

Dr Jenkins said: “We hope that software developers will now take this framework and turn it into a polished app, while other experts optimise the usability of the system. If those two things happen, you could see this system on your device in the next product cycle.”

The text of this article is licensed under a Creative Commons Licence. You're free to republish it, as long as you link back to this page and credit us.

Pretending to know a face that you don’t know is like pretending to know a language that you don’t know – it doesn’t work. The only system that can reliably recognise faces is a human who is familiar with the faces concerned.”

Dr Rob Jenkins
Department of Psychology
Featured researcher

Dr Rob Jenkins

An award-winning BPS Chartered Psychologist and a member of the RSE Young Academy of Scotland.

View profile

Discover the details

Find out more in the York Research Database

Article

Visit the department

Related stories

Explore more research

Research

Treespotting: past, present and future

A research project needed to spot trees on historic ordnance survey maps, so colleagues in computer science found a solution.
Research

Could TeachQuest! Be the future of teacher selection?

We’re using gaming technology to ensure prospective teachers are fully prepared for their careers.
Research

Healthcare comes home

A low cost, high-accuracy device, could play a large part in the NHS's 'virtual wards'.
Research

York science at the heart of ambitious fusion energy bid

York scientists are at the centre of an ambitious bid to bring low carbon fusion energy to Yorkshire.