This post originated from an RSS feed registered with .NET Buzz by Robert Hurlbut. Original Post: Pass Phrases, Passwords, and PassFaces Feed Title: Robert Hurlbut's .Net Blog Feed URL: http://www.asp.net/err404.htm?aspxerrorpath=/rhurlbut/Rss.aspx Feed Description: Development with .Net, Rotor, Distributed Architectures, Security, Extreme Programming, and Databases Latest .NET Buzz Posts Latest .NET Buzz Posts by Robert Hurlbut Latest Posts From Robert Hurlbut's .Net Blog

Jesper Johansson has started a new article series on The Great Debates: Pass Phrases vs. Passwords Part 1 of 3, continuing the debate on which method of secure authentication to use.

For a different spin, I recently heard about PassFaces. Last week, I attended the New England Information Security Group meeting in Waltham, MA at the Microsoft offices and heard someone from Real User talk about this interesting way of authenticating users. Below is a snippet of information from their site:

How The Passface™ System Works

	Users start by getting to know a group of (typically 3 to 7) faces – their passfaces – which are assigned by the system at random from a large library of anonymous faces. This simple and intuitive initial familiarization process takes around 3 to 5 minutes for 5 passfaces.
	To authenticate a user, the system displays a 3 by 3 grid of faces containing one passface and 8 decoy faces positioned randomly within the grid.
	The user responds by indicating the position of their passface in the grid. This challenge/ response is repeated with each of the user's remaining passfaces – each time presented in a grid with 8 more decoy faces.
	The user is authenticated once all their passfaces have been recognized successfully.

I know several of us who attended were intrigued by this new method, but I also thought about the various ways this system may be overcome and compromised. Either way, its good to have some options.