washingtonpost.com  > Technology > Washtech


Real User Recognizes a New Take on Security

By Andrea Caumont
Washington Post Staff Writer
Monday, January 3, 2005; Page E05

Jim Melonas wants you to forget the dozen passwords you use to log in to your employer's computer systems and applications, your online banking account and your e-mail, and concentrate on remembering that attractive face in the top right corner.

Melonas is executive vice president of Real User Corp., an Annapolis company that has created a "cognometric" user verification system called Passfaces that relies on the ability to recognize familiar faces. The system can be used with or instead of traditional password systems based on numbers and letters.

The Passfaces system relies on the ability to recognize familar faces, instead of passwords made with numbers and letters.

In Profile

Name: Real User Corp.

Location: Annapolis

Big idea: Created a new user verification system based on choosing familiar faces out of multiple groups of nine faces. The company hopes its program will replace traditional text-based passwords.

Founded: Mid-1990s in Britain by Hugh Davies, who came up with the original idea for Passfaces. Paul Barrett, chief executive, moved the company to the United States in March 2001.

Web site: www.realuser.com

Who's in charge: Paul Barrett, chief executive; Jim Melonas, executive vice president; and Andrew Ryan, chief technology officer.

Funding: The company has raised "in the neighborhood" of $700,000 from angel investors and management, Melonas said. Firm hopes to complete a $1 million to $2 million round of funding during the first half of 2005 and to have at least 100,000 Passface users by the end of the year.

Employees: Seven, with five in the United States and two in Brighton, England, where the company's research and development unit is based.

Partners: Titan Corp., Control Break International, BearingPoint, Enterprise Solutions Group, Information Technology Management Inc. and Sidus Group.

Big-name clients: U.S. Senate, Congressional Budget Office, General Services Administration, Titan Corp., Control Break International, Surfnet, University of Maryland Baltimore County and PRMS Inc.

Origin of company name: "They're very descriptive names," Melonas said. "The company prides itself in helping entities determine who their real users are, and you've heard of passwords, but now you have Passfaces."

"Humans have a natural ability to recognize familiar faces," Melonas said. "A portion of the brain is dedicated to that activity. All the system requires you to do is recognize the face, you don't have to identify anything." Users navigate a series of screens -- as many as eight or nine or as few as two or three depending on security requirements. Each screen shows photos of nine different faces. Users pick their assigned "secret" face from each set to gain access to a secure system or Web site.

In creating its system, Real User tried to balance security with ease of use, Melonas said. The result was a grouping of faces arranged "like a telephone pad, which we've all become familiar with. The people are different but the construction of the faces is uniform." The grids are always made up of nine faces and always separated by sex, either all male or all female. The faces are also randomly assigned to different locations each time a user tries to log in through the Passfaces system.

Melonas thinks his company's system solves a number of long-standing problems with traditional passwords, starting with the fact that they are so forgettable. "The real security problems come from the difficulty humans have managing passwords," Melonas said, "either remembering them or associating them with the correct system. . . . People write them down, put them under their mouse pads or on stickies," jeopardizing the secrecy of their passwords.

Melonas said it's also too easy for a user to share a password with a co-worker or divulge it on a "phishing" Web site that tricks users into revealing private information. Passing along to someone else a description of the brown-haired woman or the red-headed guy who looks like your cousin or the other members of your secret sequence of faces would be much more difficult.

Melonas said concerns about "shoulder surfers," people who hover behind users as they choose their faces from the grids, can be allayed by disabling the mouse and using a number pad to key in the location of a face. Melonas said it would be impossible to guess a sequence of faces: Five screens of Passfaces represent the equivalent of 60,000 passwords.

Melonas believes his company's biggest challenge is the willingness of organizations to continue managing passwords the old way. "That's typical of any new disruptive technology," Melonas said, "but we think that's eroding." He said the federal Health Insurance Portability and Accountability Act's requirements to guard health care records and the Sarbanes-Oxley requirements on corporate governance are pressuring many industries to improve cyber-security.

But change will take time, Melonas acknowledged: "Computers were driven by command line language and it took years for graphic user interfaces to be adopted commercially, but now you wouldn't live without them. The password is the last bastion of the command line interface, and now we have an alternative."

Who are the faces that make up Passfaces? Real User has relationships with several universities in the United Kingdom, Melonas said, that allow the company to collect images of faces. "We take a 30- to 40-second video clip and pick out a frame that meets our requirements in terms of the face, the position of the smile and the hair."

If you would like to become a Passface, don't hold your breath. With several thousand pictures, Melonas said, "we have enough faces in our library for now."

© 2005 The Washington Post Company