DoxPara Research
12-Feb-2001 / Dan Kaminsky RealFaces: An Intriguing Way To Authenticate

RealFaces (http://www.realuser.com) is actually surprisingly cool. I began writing a point by point rebuttal to the effectiveness of their technology, until I finally decided to take a few minutes to try it out.

I'm impressed. Their documentation (what little there is) is positively awful from a technical point of view; you can practically taste the various layers of refinement in their design. They tested this stuff alot, and obviously went back to the drawing board at least a few times. What's interesting is that your password isn't just one face of nine, it's all nine faces acting in concert to remind you which specific one you're supposed to remember. The faces are probably computer generated using face amalgamation mechanisms, considering they possess a surprising degree of explicit diversity--there's always one and only one person who's black, who has a specific curve in their hair, who has "extra bright teeth", and so on.

>From an entropic point of view, five rounds of 1/9 selection without any apparent ability to test passwords round by round (a failure in round 2 still offers the opportunity to try rounds three through five, and the server rather than the client does the authentication) gives a little under sixteen bits of entropy--59K possible passwords. Their ActiveX control doesn't function under Opera, and might not under Netscape, which limits its deployability.

Their biggest issue is that it's likely more difficult to remember large sets of passfaces--remember, the advantage that you *can't* write them down is also a heck of a disadvantage if you'd have multiple sets of authenticating material. RealUser's solution is to have all public sites centrally authenticate through it, which of course generates a single point of failure--remember when PassPort (Hotmail's central authentication server) lost its DNS, and half of Microsoft's sites no longer worked? Imagine if nobody could log in...anywhere.

Overall, it's pretty interesting technology. There's conceivably weaknesses if they're using only certain faces as "key faces", if repeated properties always rule out a few of the people, or if the "correct face" is always downloaded first by the client. But those are implementation flaws. The core technological flaws--from inadequate differentiation between option faces to the fact that random "peers" would eventually differentiate themselves from a static keyface--have been addressed nicely. The one thing I'm particularly concerned about is cultural bias...but dealing with that problem is actually amazingly harder than you'd think.

I can see why Dyson invested. The technology isn't perfect, but it is...interesting. Much, much more compelling than I expected it to be.

Yours Truly,

Dan Kaminsky, CISSP
Cisco Systems, Inc.
http://www.doxpara.com

Access Archives
Mission
DoxPara Research exists as a repository for information security analysis, UI theory, and the miscellaneous writings of its founder, Dan Kaminsky.

Authorship

Writings
ZapMail Redux
RFID Security
The Absentee SIGGRAPH 2002 Review
Deaf and Dumb: A Critique
Speech Vs. Vision
Why Most Albums Suck
Tracing Smart Fridges
Password Rejected
Trinity Redux
Thoughts On Secure Deletion in 2001: Part 1
Thoughts On Secure Deletion in 2001: Part 2
On The Nature Of Data Shredding
Cryptography Doesn't Save Napster, and The War Over Parodies
Passfaces: An Intriguing Way To Authenticate
BugTRAQ-- Re: Security Hole in Win2K's FTP server

Security and Networking
Insecurity By Design: The Unforseen Consequences Of Login Script
TCP Chorusing in the Windows9x TCP/IP Stack
Vectorcast

Editorials
Core Competencies: Why Open Source Is The Optimum Economic Paradigm For Software
Mandatory Registration: Bad Business

User Interface Proposals
Analogous Key Arrays
Cluehunting