An online authentication method based on recognizing faces — an idea so offbeat that even the vendor behind it has largely abandoned its efforts to sell it to banks — may be getting a second chance after Facebook Inc. devised a similar system for extreme security cases.
Most people are hardwired to recognize the faces of people they've seen before, and this instinct can be adapted for the purpose of online authentication. In one implementation consumers are asked to verify their identities by selecting a familiar face out of a "Brady Bunch"-style grid. The advantage of this over passwords is that consumers cannot easily write down or describe the right face in a way that is useful to hackers.
Facebook began using a similar system, based on its own database of faces from photos that users have uploaded to its social networking site, to secure the accounts of Tunisian citizens against government intrusion in January during that country's unrest. Facebook asked users to verify the faces of their friends as part of a strengthened login process. It plans to offer this feature as an extra layer of security to all its customers later this year, and it may spark renewed interest among financial services companies in facial recognition security procedures.
"It is not a bad idea for the banks," said Avivah Litan, a vice president and distinguished analyst at Gartner Inc.
Litan said banks in general need to improve all layers of their customer-facing security.
Royal Credit Union Inc. in Eau Claire, Wis., has employed such a system to secure its customers' online banking sessions since 2008. It uses a product from Passfaces Corp. that works by training users to recognize randomly assigned faces in several screens that display grids of nine faces each. Users click on the face they recognize, scrolling along three to five screens. The faces appear in different positions on the grids for each login.
RCU previously used the Passmark system, now owned by EMC Corp.'s RSA Security. That system presents a static image for each login — its purpose is to authenticate the website to the user, assuring customers that they are not at a phisher's spoof site.
Jim Watts, RCU's chief information officer, said the $1.25 billion-asset credit union switched because it wanted to add more layers of security than Passmark offered. Watts said the credit union was intrigued with the idea that people are wired to remember faces, even after months of not using an account, and thought this might be useful to its 135,000 members.
"The value is that it is very secure, and the members can be assured they are logging on to our online banking system when they recognize their faces," Watts said.
RCU piloted the technology with a test group of customers more than 60 years old, under the assumption that older people would have the most difficulty remembering faces. It then rolled out the product to the rest of its members, making it optional for the first two months.
Watts said customer adoption problems were not an issue with Passfaces. The credit union prepared the call center for more calls, which he said subsided after about two weeks.
"I don't know how many [hacker attacks] we prevented, but we have not had one since we implemented the system," Watts said.
At the same time, Watts said, credit unions and banks might not be the best candidates to use Facebook's method of securing logins by asking users to identify the faces of people they know.
"If I am a bad guy stalking you, I may recognize the same faces as you," Watts said. "It's the randomness of this that is helpful."
Industry experts agreed. Julie Conroy McNelley, senior risk and fraud analyst for Aite Group in Boston, said it might pose a host of problems for banks and consumers to use a security system that depends on identifying the faces of people they know.
Some of those challenges include first asking the customer to upload the images, which McNelley said many might resist out of privacy concerns and out of reluctance to enroll by providing enough photos.
"You have an attrition risk that financial institutions are striving to bridge," McNelley said. "How can we make the situation secure, without putting so many barriers in front of the consumer that you lose them?"
Another issue, according to Litan, is that "anything that goes through the browser can be defeated, whether that's recognizing faces or answering questions."
At the same time, experts said, anonymous faces might function much like "captchas," the distorted letters that websites often ask consumers to decipher to make sure they are not bots or malware trying to access accounts.
And that raises another issue: Watts says the Passfaces system prevents account aggregation sites from gathering information from the credit union's online service, because aggregation engines can't recognize faces either. Such sites are increasingly popular.
"A human has to be there to recognize the faces," Watts said.