Login

hanamaraddi1 · 08-16-2017, 08:53 PM

[attachment=7279]
[attachment=360]

Passface

PASS FACE A Cognometric Authentication

. Overview
This document describes the Passface System SDK - a collection of components, applets, executables, modules and example HTML pages that provide an easy and flexible path to providing user authentication using the Passface System within your own web based application.
1.1 What are Passfaces ?
The Passface System is a revolutionary method of user authentication that provides great benefits in usability and security over traditional password based authentication.

Identity verification is arguably the most important and certainly the most fundamental of IT security requirements: nearly all other functions in this field (such as access control, data confidentiality, digital signatures etc.) rely for their successful operation on some part of the system being able to confirm a person's identity. Unfortunately, in practice, proof of identity is consistently the weakest page link in the security chain: the vast majority of systems today still rely on passwords or PINs - in spite of their well-known short coinings. The primary reason for this continued reliance on passwords has been an absence of practical alternatives.

The answer is: forget passwords - use passfaces! People are as good at recognizing faces as they are bad at remembering passwords and PINs. According to the cognitive psychologists, there is a part of the human brain that is dedicated to the task of face recognition. Our own experience tells us that we can all remember and can recognizes hundreds, if not thousands, of people by their faces - even if we may forget their names! The Passface system works like this:
Users start by getting to know five or more passfaces from a large library of similar, anonymous faces.
When required to authenticate themselves, the system challenges the user with a 3 by 3 grid of faces containing one passface and 8 decoys of the same general appearance. The faces appear in random positions within the gild each time.
The user responds by indicating their passface in the grid using with the mouse or keypad.
This challenge/response is repeated with the user's remaining pass faces. A brilliantly simple concept.. with a number of benefits:
sers always recognize their pass faces, even after long periods of disuse. The user oesn't actually have to recall a pass face as they would a password or PIN for the same :ason that they do not have to be thinking of an acquaintance to spot them nexpectedly.
. user's pass faces can be assigned randomly by the system without compromising inability - we are good at recognizing faces regardless of whether we choose them urselves. By contrast, a user is unlikely to remember a system assigned password or IN and will typically be forced to cany a written copy in order to use the system, assfaces cannot be easily written down or given to colleagues or attackers - even tider duress.
he Pass-face System is a direct password replacement requiring no additional or serialized hardware and minimal software changes

more information on the Passface Authentication concept see the Real User web site: //ww .re a lu s er. c o 111/.

What is the Passface System SDK?
Passface System SDK is the collection of software components and examples ribed in this document that allow your organization to implement and manage the face System on your own servers and networks,
This diagram shows the various parts of the Passface System SDK and how they can be used together to create a complete Passface authentication system, Alternatively, any of these parts can be used in conjunction with your own web pages or server application to create a Passface authentication system for your environment.
The core of the toolkit is the Passface Client (an ActiveX component or Java Applet. Additional components of the toolkit include example HTML pages and CGI (Common Gateway Interface) executables and their source code.
2.1 Passface Client
The Passface Client runs in The user's browser and provides the user interface for enrolling (getting To know your passfaces) and logging on (identifying your passfaces). The presentation of the Passface Client is highly customizable through a set of parameters in the HTML page that contains it.

The Java applet version will run in any modern browser which supports Java (JDK 1.0.2 onwards). For example. Microsoft Internet Explorer 3.0 onwards or Netscape Navigator 3.0 onwards on a try platform.

The ActiveX component version will only run in ActiveX enabled browsers: currently Microsoft Internet Explorer 3.02 onwards miming on Intel based (or compatible) PCs.

2.1.1 Java verses ActiveX
The most obvious advantage of the Java applet over the ActiveX component is that anyone can run the Java applet regardless of hardware platform, operating system or browser (as long as it supports Java!). Some system administrators configure users' browsers to allow Java applets (running within the Java sandbox) but disallow ActiveX components.

The most obvious advantage of ActiveX over Java is speed of launching the application and more reliable caching of the ActiveX component and of the face images that it downloads (as the cache is less prone to deletion by the user or the system). This is only really an issue on slower machines or when using older browser versions where starting the Java virtual machine itself can take a few seconds.

Internet Explorer and Netscape versions 4.0 onwards both support caching of Java classes and of images downloaded by Java applets. Consequently, in terms of performance, there is little to choose between the Java and ActiveX implementations when miming on more recent browsers, hi general, if security configurations permit, we would recommend using ActiveX for users using Internet Explorer on PC platforms and Java for everything else.
2.1.2 Download Sizes
Once the user has enrolled with the Passface System, the Passface Client and the face images will be cached on their computer. This means that (assuming they are using the same computer) they will be not need to wait for any significant downloads to complete before being able to subsequently log on.

When enrolling (or if the user wishes to log on using a different computer), the required components/classes and images will be automatically downloaded and have been designed to be as small as possible (Java is 50K bytes for enrollment and 30K bytes for logon; ActiveX is 115K bytes including both enrollment and logon). The face image data for a typical set of faces is approximately 75K bytes for five gilds.
This approach has been shown to provide acceptable logon performance even when used across the slowest dialup modem connections.
2.1.3 Configuration
Both the Java applet and ActiveX component (hereafter called the Passface Client) support the same set of configuration parameters which allow the look and feel of the component/applet to be tailored to blend into your own web site. These parameters include customization of the colors and text strings used hi the Passface Client and options to change the look and behavior of the buttons. Operational details such as the number of passfaces for each user and how user's are assigned their passfaces can also be configured.

For full details of the Passface Client configuration parameters, there is a separate Passface Client configuration document available on request from Real User.
2.2 Example HTML and CGI

The toolkit includes a set of HTML files that demonstrate how the applet or component can be used to replace passwords in a web based environment. An example CGI (Common Gateway Interface) program is provided (as a C++ source code distribution) which demonstrates a complete Passface enrollment and authentication system.

The CGI program may be used as an example of how to configure and use the Passface Client to replace passwords within your own existing application. Although the CGI program is written in C++, the salient features translate easily to any server-side development environment you might be using.

This example code may also be used as the basis of a simple web site authentication system. For simplicity, the example CGI program stores the user enrollment data (reference numbers indicating the faces that the user should be presented with when logging on and the subset of these that are the user's passfaces) as ASCII text files within a simple file system based 'database'.

This example code has been built and tested on both Microsoft Windows (using Microsoft Visual C++) and Unix platforms (using GNU C++) working with either Apache and Microsoft IIS web servers.
2.3 Replacing Passwords
The Passface System can easily be used to replace passwords in an existing web based application. When logging on. once the user has clicked on one face from every grid, the Passface Client sends a result to the server (as an HTTP form). The result is an ASCII string of hexadecimal digits (four digits for each passface). This result may be used directly as a password or may be compressed or passed through a one-way function before storage or comparison using existing databases or directory services.

The only additional database requirement that the Passface System imposes over using passwords is that for each user, the face reference numbers of the complete set of passfaces and 'decoy' faces that the user is presented with must be stored. So. for example, if a user's account is configured to require 5 passfaces. 45 faces references must be recorded for that user (90 bytes of data). Since this set of face references does not disclose which references are the user's passfaces there are no security implications to be considered about the storage of this data. This list of face references is presented to the Passface Client as a configuration parameter when the user wants to log on. The Passface Client then reads and displays the corresponding JPEG face images within the user's browser.