I am Hack Sparrow
Captain of the Internets.

Passface – an alternative authentication system

Make a face to authenticate yourself!

To begin, I have absolutely no idea if someone else has though up this concept yet or not, I got this idea a few days ago and worked on it quite a bit decided I'll share it with all the nice people on the Internets. Oh yes, I did try googling "passface" and all I got was results for "passfaces". Passfaces shows you a list of faces and to authenticate you select the one which you chose as your passface. Passfaces might as well be passanimals or passpants, passface is not related to the passfaces technology in anyway.

So, what is passface? From the title "Make a face to authenticate yourself!" you might have guessed already what it is. You make a secret signature face, which no one else can of course (unless you have an identical twin who knows your passface), which you use to authenticate a system securely.

The passface alternative authentication system eliminates the use of passwords which happens to be the main reason for security breaches today - default passwords, easy passwords, keyloggers, packet sniffers, sql injection, compromised servers ... an all other means of acquiring your passwords.

So how does passface work?

Passface is based on face recognition; but it is not recognition of your normal face, it is recognition of a distorted face of yours. If it were based on normal face recognition, anyone could pass off as you by waving a photograph of yours.

To give you a better idea of how passfaces might look like, I show you some examples:

Now, ask yourself who else could make those exact faces? Only them right? Well maybe their identical twin if they have one who has seen their passfaces here. I would advise these people not to use these faces as their passfaces as it has been digitally captured, not secure anymore.

This is how the passface system works. Please note I use the terms hash and match loosely here.

User creation

i. Stand in front of the camera.
ii. Make a weird face for your passface. If they face is not weird enough, the system informs you.
iii. Once the face is weird enough (does not look like your normal face), system captures the passface.
iv. System generates a salted 'hash' of the face recognition data of the passface and stores it on the server.
v. You set a override password, which can be used to override the passface system after x number of days or months of not authentication using passface. It cannot be used before that.

User authentication

i. Make passface infront of the camera.
ii. System salts the face recognition data, 'hashes' it, and compares with the existing ones on the server.
iii. If a 'match' is found, the system updates the 'hash' for the user with the current 'hash' that was just input. You'll soon find out why we do that.

Time to answer some hypothetical questions. If you have more, please post them in the comments.

What if the person grows a beard or become fatter or thinner or becomes old?

Every time you authenticate correctly, a fresh copy of the passface is generated and stored in a salted hash. The passface changes with your face, whether you become fat or thin, or grow old or fat.

Ok, so what if a hacker (a bad one) gets a copy of the passface from the server?

The passface is not stored physically on the server. It is just a salted hash which will be stored on the server. So it is pretty much useless to anyone unless they have access to the salting algorithm, but then it is an altogether different issue.

What if I got bruised on my face at a bar fight?

The passface system will be smart enough to recognize your passface even if you are bruised to a certain extent. But if your bruised beyond recognition or are covered in bandages, you will have to use your override password. It can be used only after a certain amount of days of not authenticating using your passface.

Why can't I use the override password immediately?

Because that would be as good as using the normal password system, defeats the whole purpose of using passface in the first place.

That is pretty much all about passface. The trickiest part would be the hashing and matching algorithm in the whole thing.

Now let's take a look at some of the disadvantages and advantages of passface authentication system.

Disadvantages

  1. You will look like a fool in public places.
  2. The paparazzi might steal your passface using a telephoto lens.
  3. Needs a camera. But then most devices come with cameras these days.
  4. Sudden changes in faces requires the use of the override password.

Advantages
  1. Passfaces are very unique in the whole world.
  2. Safer than finger print based authentication. Finger prints can be duplicated.
  3. Much safer then normal face recognition based authentication. Your normal photo cannot pass off as you in passface system.
  4. Even identical twins cannot hack each others passfaces, unless they know it.
  5. People can see your passface but still not be able to use it, unless they take a high-res picture of it.

And with this I come to the end of this post. What is your opinion about passface? Is my idea totally totally crazy? Is it retarded? ingenious? Got anything to ask me? I hope no one patents this idea (hey you never know might patent what these days). Please comment.

One Response to “Passface – an alternative authentication system”

  1. HJoaco says:

    hey, I’m trying to develop it, a login system using the webcam, is a very interesane I had a few months ago, but looking at your post mongodb of passface found this post very interesting.

Make a Comment