Paper 2017/169

UFace: Your Universal Password That No One Can See

Nicholas Hilbert, Christian Storer, Dan Lin, and Wei Jiang

Abstract

With the advantage of not having to memorize long passwords, people are more interested in adopting face authentication for use with mobile devices. However, since facial images are widely shared in social networking sites, it becomes a challenging task to securely employ face authentication for web services to prevent attackers from impersonating the legal users by using the users’ online face photos. Moreover, existing face authentication protocols either require users to disclose their unencrypted facial images to the authentication server or require users to execute computationally expensive secure multiparty computation protocols. For mobile devices with limited computational power, this presents a problem that cannot be overlooked. In this paper, we present a novel privacy preserving face authentication system, called UFace, which has users take close-up facial images for authentication to prevent against impersonation attacks of users’ online facial images. UFace also guarantees that the facial images are only seen by the users and not by any other party (e.g., web service providers and authentication servers). UFace was implemented through two facets: an Android client application to obtain and encrypt the feature vector of the user’s facial image, and server code to securely authenticate a feature vector across multiple servers. The experimental results demonstrate that UFace not only can correctly authenticate a user, but also can be done within seconds which is significantly faster than any existing privacy preserving authentication protocol.