In the war against cybercrime, traditional passwords may be going the way of the musket.
Several technology vendors are promoting alternatives to the easily shared, easily forgotten, and easily compromised password for authentication. The challenge is to develop a system that makes it harder for criminals to access an online banking account without making the new log-on procedures too hard for legitimate users.
One idea, from Real User Corp. of Annapolis, Md., gives passwords a new face — literally.
Paul Barrett, Real User’s chief executive, said that instead of words or numbers, his security system uses photos of U.K. college students’ faces. The system presents a user with a set of nine faces, only one of which is among the several “pass faces” assigned to that user.
To access accounts, the user must correctly select the pass face from this Brady Bunch-style grid. To prevent people from simply guessing their way to unauthorized access, the system requires users to repeat the process between three and seven times. Each set of faces is different, and each includes only one of the user’s pass faces.
“Pass faces themselves provide a direct replacement for passwords,” Mr. Barrett said. “In a way, they’re the [graphical] equivalent of a password.”
The human brain is hard-wired to recall faces more easily than most other patterns, so even though it may be hard for people to describe what their pass faces look like, they will rarely forget the faces assigned to them, he said.
And critics of the concept tend to be won over once they have tried it, Mr. Barrett said. “People, even if they understand it academically, are not certain that they’ll be able to do it themselves … [but] when you present the user with it, they find that they can do it.”
The grids of faces are jumbled each time they are presented, so the pass face appears in a different location. To guard against keylogger applications, which can monitor a victim’s computer habits and send personal information back to a criminal, the data transmitted to a bank during log-on describes only the pass face’s location, not details about what it looks like.
The Senate has been using Real User’s technology for a year, and the vendor has demonstrated it for two banking companies: Citigroup Inc., for its European staff, and BankBlackwell, a new Internet bank in Boston. Neither is a customer yet.
Swivel Secure Ltd. of Harrogate, England, is marketing a system that replaces the password with a PIN-like code, which is used to decode a string of numbers that is presented to the user to find the real authorization password. For example, if a person’s code were 2468, the user would look at the 10-digit number on the Web site and then type in the second, fourth, sixth and eighth digit in order to log on.
The code is used “to extract digits from the security string to get a one-time code,” explained Stephen Meredith, Swivel’s vice president of marketing and public relations.
The code is as easy to remember as a password or PIN that most systems use today, Mr. Meredith said.
Swivel’s approach would also thwart a keylogger application, because the user’s PIN-code “is never typed at the keyboard,” and the numbers that are typed will grant access only once, he said. (The code stays the same.) The keylogger “can sniff away all it likes, and we don’t care.”
According to Mr. Meredith, Winston Keech, Swivel’s founder, was once a victim of credit card fraud, and the experience motivated him to develop a better way to verify people’s identity.
Banks can present the undecoded string of numbers on their Web sites, but for additional security, Mr. Meredith suggests that they deliver the string to customers as a cell phone text message. This can be done in advance and stored until needed, in case the phone has trouble receiving a signal when the user wants to access an account. Someone planning a trip outside the phone carrier’s coverage area can download several of the 10-digit strings, each of which expires when it is used.
Swivel already has several customers, including Viacom International Inc.’s MTV and the computer chip manufacturer ATI Technologies Inc. Swivel recently began touting its software to banks and has demonstrated it to one in the United States and two in the United Kingdom.
Entrust Inc. of Addison, Tex., has a similar system, IdentityGuard, that works in reverse. The user carries around a string of numbers and is presented with a different code at every log-on. To access the site, the user applies the code to the digits on the card.
Entrust likens its system to a game of bingo — the code on the bank’s site translates into a set of coordinates on a grid that resembles a bingo card. (The grid can be mailed to people as a statement insert, printed on the back of an automated teller machine card, or featured on a separate card.)
Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn., said all of these systems are substantially better than the current ones that use passwords, but she cautions banks that no single system by itself will prevent online account theft.
For example, viruses can be planted on a person’s computer that will wait for the user to log on to an account and then “immediately run a script to move money out of your account,” she said.
