UFace: Your universal password that no one can see

Abstract

Due to the ease of use, face authentication could be a promising way to replace hard-to-remember passwords to access web services. However, to make face authentication suitable for web services, there are still several critical security and privacy challenges unaddressed. First, the existing authentication servers typically collect the plaintext of users' facial images in order to conduct authentication. If the servers are compromised, the attackers would obtain the users' facial images and can easily impersonate the users in any other applications that use face authentication. Second, it is also hard to prevent attackers from using facial images published in social network sites to impersonate the true user. In this paper, we conquered these two issues by proposing a novel secure face authentication system, called UFace. UFace uses special close-up facial images (which cannot be found online) for authentication. To further ensure the confidentiality of these close-up images, UFace guarantees that these images are only stored at user side and the servers have not any plaintext of these images. The face authentication is conducted securely with two collaborative authentication servers. UFace was implemented through both an Android application and multiple server side programs which were then evaluated in a real setting. The experimental results demonstrate that the UFace system can accurately authenticate users within a few seconds.