An online authentication method based on recognizing faces — an idea so offbeat that even the vendor behind it has largely abandoned its efforts to sell it to banks — may be getting a second chance after Facebook Inc. devised a similar system for extreme security cases.
Most people are hardwired to recognize the faces of people they've seen before, and this instinct can be adapted for the purpose of online authentication. In one implementation consumers are asked to verify their identities by selecting a familiar face out of a "Brady Bunch"-style grid. The advantage of this over passwords is that consumers cannot easily write down or describe the right face in a way that is useful to hackers.
Facebook began using a similar system, based on its own database of faces from photos that users have uploaded to its social networking site, to secure the accounts of Tunisian citizens against government intrusion in January during that country's unrest. Facebook asked users to verify the faces of their friends as part of a strengthened login process. It plans to offer this feature as an extra layer of security to all its customers later this year, and it may spark renewed interest among financial services companies in facial recognition security procedures.
"It is not a bad idea for the banks," said Avivah Litan, a vice president and distinguished analyst at Gartner Inc.
Litan said banks in general need to improve all layers of their customer-facing security.
Royal Credit Union Inc. in Eau Claire, Wis., has employed such a system to secure its customers' online banking sessions since 2008. It uses a product from Passfaces Corp. that works by training users to recognize randomly assigned faces in several screens that display grids of nine faces each. Users click on the face they recognize, scrolling along three to five screens. The faces appear in different positions on the grids for each login.
RCU previously used the Passmark system, now owned by EMC Corp.'s RSA Security. That system presents a static image for each login — its purpose is to authenticate the website to the user, assuring customers that they are not at a phisher's spoof site.
Jim Watts, RCU's chief information officer, said the $1.25 billion-asset credit union switched because it wanted to add more layers of security than Passmark offered. Watts said the credit union was intrigued with the idea that people are wired to remember faces, even after months of not using an account, and thought this might be useful to its 135,000 members.
"The value is that it is very secure, and the members can be assured they are logging on to our online banking system when they recognize their faces," Watts said.
RCU piloted the technology with a test group of customers more than 60 years old, under the assumption that older people would have the most difficulty remembering faces. It then rolled out the product to the rest of its members, making it optional for the first two months.
Watts said customer adoption problems were not an issue with Passfaces. The credit union prepared the call center for more calls, which he said subsided after about two weeks.
"I don't know how many [hacker attacks] we prevented, but we have not had one since we implemented the system," Watts said.
At the same time, Watts said, credit unions and banks might not be the best candidates to use Facebook's method of securing logins by asking users to identify the faces of people they know.
"If I am a bad guy stalking you, I may recognize the same faces as you," Watts said. "It's the randomness of this that is helpful."
Industry experts agreed. Julie Conroy McNelley, senior risk and fraud analyst for Aite Group in Boston, said it might pose a host of problems for banks and consumers to use a security system that depends on identifying the faces of people they know.
Some of those challenges include first asking the customer to upload the images, which McNelley said many might resist out of privacy concerns and out of reluctance to enroll by providing enough photos.
"You have an attrition risk that financial institutions are striving to bridge," McNelley said. "How can we make the situation secure, without putting so many barriers in front of the consumer that you lose them?"
Another issue, according to Litan, is that "anything that goes through the browser can be defeated, whether that's recognizing faces or answering questions."
At the same time, experts said, anonymous faces might function much like "captchas," the distorted letters that websites often ask consumers to decipher to make sure they are not bots or malware trying to access accounts.
And that raises another issue: Watts says the Passfaces system prevents account aggregation sites from gathering information from the credit union's online service, because aggregation engines can't recognize faces either. Such sites are increasingly popular.
"A human has to be there to recognize the faces," Watts said.
Paul Barrett, a co-founder of Passfaces and its chief executive, said that roughly 12 credit unions and two banks are using the Oak Hill, Va., company's technology but that it has had more traction with nonfinancial companies.
"We haven't kept a strong focus on banking, and our most recent sales have been in health care," Barrett said. He said doctors are more demanding about security procedures than bank consumers, who tend to passively accept what the banks give them.
Another barrier has been that banks typically work with third-party vendors for their online banking services, and these vendors favor standard security procedures, such as passwords and knowledge-based authentication.
"The banks go with what their providers give them," Barrett said. "We had some instances where a bank basically would use us, but the providers would not."
In those cases, the providers got the final say, and Passfaces lost its prospective customer.
What was interesting about the new security measure from Facebook, Barrett said, is that it required minimal extra steps for consumers, because users already recognize the faces of people they know. "Facebook obviously already has lots of faces, which could be used in the process, without taking users through a training process."
The drawback, he said, was that hackers might target individual users through Facebook to get to know their friends' faces.