An online authentication method based on recognizing faces — an idea so offbeat that even the vendor behind it has largely abandoned its efforts to sell it to banks — may be getting a second chance after Facebook Inc. devised a similar system for extreme security cases.
Most people are hardwired to recognize the faces of people they've seen before, and this instinct can be adapted for the purpose of online authentication. In one implementation consumers are asked to verify their identities by selecting a familiar face out of a "Brady Bunch"-style grid. The advantage of this over passwords is that consumers cannot easily write down or describe the right face in a way that is useful to hackers.
Facebook began using a similar system, based on its own database of faces from photos that users have uploaded to its social networking site, to secure the accounts of Tunisian citizens against government intrusion in January during that country's unrest. Facebook asked users to verify the faces of their friends as part of a strengthened login process. It plans to offer this feature as an extra layer of security to all its customers later this year, and it may spark renewed interest among financial services companies in facial recognition security procedures.
"It is not a bad idea for the banks," said Avivah Litan, a vice president and distinguished analyst at Gartner Inc.
Litan said banks in general need to improve all layers of their customer-facing security.
Royal Credit Union Inc. in Eau Claire, Wis., has employed such a system to secure its customers' online banking sessions since 2008. It uses a product from Passfaces Corp. that works by training users to recognize randomly assigned faces in several screens that display grids of nine faces each. Users click on the face they recognize, scrolling along three to five screens. The faces appear in different positions on the grids for each login.
RCU previously used the Passmark system, now owned by EMC Corp.'s RSA Security. That system presents a static image for each login — its purpose is to authenticate the website to the user, assuring customers that they are not at a phisher's spoof site.
Jim Watts, RCU's chief information officer, said the $1.25 billion-asset credit union switched because it wanted to add more layers of security than Passmark offered. Watts said the credit union was intrigued with the idea that people are wired to remember faces, even after months of not using an account, and thought this might be useful to its 135,000 members.
"The value is that it is very secure, and the members can be assured they are logging on to our online banking system when they recognize their faces," Watts said.
RCU piloted the technology with a test group of customers more than 60 years old, under the assumption that older people would have the most difficulty remembering faces. It then rolled out the product to the rest of its members, making it optional for the first two months.
Watts said customer adoption problems were not an issue with Passfaces. The credit union prepared the call center for more calls, which he said subsided after about two weeks.
"I don't know how many [hacker attacks] we prevented, but we have not had one since we implemented the system," Watts said.
At the same time, Watts said, credit unions and banks might not be the best candidates to use Facebook's method of securing logins by asking users to identify the faces of people they know.