Face time
A new computer password system is based on recalling faces.
Seth Stevenson, FSB contributor

NEW YORK (FORTUNE Small Business Magazine) - Consider all the problems with computer passwords. Employees forget them or make them dangerously simple. (According to one security expert, "password" is among the most popular choices.) Or they write them on Post-it notes and stick them on a monitor where someone could find them and stroll into a network.

Well-chosen, intricate passwords aren't much better. "The human capacity to remember long, complicated passwords is limited," says Bruce Schneier, CTO of Counterpane Internet Security in Mountain View, Calif. "But computers are getting better at guessing passwords by using a 'dictionary attack'"--in which a program randomly enters letter-number sequences until it hits on the right one.

Passfaces CEO Paul Barrett
Passfaces CEO Paul Barrett

But what if an authentication system could sidestep these issues? A fast-growing Annapolis firm called Passfaces says its software can do just that. With Passfaces, you log on to your office network (or, say, your online banking page) by taking advantage of your astonishing neurological talent for recognizing faces--a talent you may not even realize you have.

The system initially assigns you five random faces to remember. These are passport-style photos of actual people. (Passfaces finds its models by setting up booths around British universities; the founder, Hugh Davies, is from Wales.) Each face is flashed onto your screen, one at a time, until you've memorized all five.

When it's time to log on, you get a series of three-by-three grids--nine images with one of your assigned faces in each grid. If you correctly identify "your" face in each grid, you're allowed access. You can't describe your faces to someone else, because "cute blond woman" won't work. The software is relatively inexpensive--about $8 a year for each user (based on a 100-person office).

Professional Risk Management Services, an Arlington, Va., company that manages insurance programs for doctors and hospitals, started using Passfaces software in 2004. The installation, says Max Ahmadi, vice president for information services at the $50-million-a-year company, was "very user-friendly," and PRMS hasn't experienced any problems with the software. "Our employees use a lot of remote connections--cybercafés, hotel networks--and we wanted to make sure no one could tamper with us," he says. "We still use passwords, but this provides an extra level of security." More impressive, about 1,000 staff members and lawmakers in the U.S. Senate are now using Passfaces.

The gift for remembering a face is an evolutionary trait that we use every day and often take for granted. Consider that time you bumped into an old junior-high classmate on the street and easily recognized him--even though the last time you'd seen him was many years (and perhaps many pounds) before. Or think about those identical twins you always manage to tell apart.

Davies, the Welsh inventor, launched Passfaces in March 2000, right in the teeth of the dot-com crunch. "Not the most auspicious time for a startup," says CEO Paul Barrett, who has been with the company from the beginning. (Today Davies serves on the board of advisors.) "We downsized and went into hibernation," scaling back from 12 employees to three.

Since then the company has rebounded strongly, to almost $3 million in annual revenue. Barrett can't talk much about the U.S. Senate deal or other customers, but he says Passfaces expects to announce several new clients in the coming months, as well as another round of financing.

"My impression is that they have a strong patent position," says Steve Bowsher, general partner at InterWest Partners, a tech-based VC fund in Menlo Park, Calif., that is considering an investment in PassFaces.

Some security specialists feel that a Passfaces-type system might be compromised by "event loggers"--programs that remotely record the images on your screen and the keystrokes and mouse clicks that happen while those images are up. If you want extra security, Schneier at Counterpane advocates a two-step authentication process (using, say, an ID card or token).

Barrett concedes that the program is useless for two groups: (1) a tiny slice of the population with a genetic condition called prosopagnosia, which prevents them from recognizing faces--even, in extreme cases, those of their children--and (2) the blind.

The bottom line for almost everyone else: Say goodbye to "Rt84bananaQ5" and say hello to that blond you just can't forget.


Five ways to safeguard your ID online. Click here.

Stop ID theft before it happens. Read moreTop of page

To write a note to the editor about this article, click here.

Follow the news that matters to you. Create your own alert to be notified on topics you're interested in.

Or, visit Popular Alerts for suggestions.
Manage alerts | What is this?