A British company has launched an emoji-based alternative to numeric passcodes used to access online bank accounts.
Intelligent Environments says its system, which uses emojis chosen from a pool of 44, is easy to remember and harder to crack than a normal passcode.
The reason it should be harder to crack is because there are so many more possible combinations of characters; there are 10,000 possible combinations of four digits compared to just under 3.75 million combinations of four emojis.
Numbers vs pictures
The company says its decision to create an authentication system based around emoji was in response to research suggesting nearly a third of British bank account holders had forgotten their PINs in the last year, and that one in four UK bank account holders used the same PINs across all of their bank cards.
Based on additional research from the National Academy of Sciences, they determined that emojis are likely to be much easier to remember because humans are far more adept at recalling pictures than numbers or letters.
Other research, most notably the picture superiority effect – itself influenced by the dual-coding theory developed by Allan Paivio – appears to back up such an assertion, suggesting that images provide both a visual and verbal cue, thereby doubling the chances of recall.
A press release from Intelligent Environments, who develop multi-platform software for financial services, quotes memory expert Tony Buzan, inventor of the Mind Map technique, who said:
The Emoji Passcode plays to humans' extraordinary ability to remember pictures, which is anchored in our evolutionary history. We remember more information when it's in pictorial form, that's why the Emoji Passcode is better than traditional PINs.
The world's first Emoji passcode from Intelligent Environments on Vimeo.
Of course, using emojis to log into your online bank account isn’t for everyone and any move to the system is, we presume, likely to run in tandem with traditional passcodes.
Emoji is claimed to be the fastest growing language in the UK.
Intelligent Environments’ managing director, David Webber, says he thinks the company’s emoji security technology could be a hit with younger people:
We've had input from lots of millennials when we developed the technology. What’s clear is that the younger generation is communicating in new ways. Our research shows 64% of millennials regularly communicate only using emojis. So we decided to reinvent the passcode for a new generation by developing the world's first emoji security technology.
Whether such a system will be an equally big hit with the banks remains to be seen, but it could offer a potentially stronger system that the traditional four-digit PIN.
Storing and reusing passcodes
Sure, there are some potential drawbacks – we know all too well that many people reuse passwords and PINs everywhere they go and if emoji passcodes prove popular they’re unlikely to be any different.
Organisations who want to implement emojis for authentication could head off the dangers of passcode reuse by ensuring that their application uses a proprietary set of pictures.
Even if they do, it’s important that users don’t abandon good password discipline.
We know that too many people use PINs of significance (dates of birth, for instance) and weak passwords such as “password1” and “123456”. It remains to be seen how users will unintentionally abuse the emoji grid – but if they can, they will!
Lots of users will probably pick rows or columns of emojis, if they can, so banks would be well advised to randomise the order they appear in (which would also stop thieves guessing the combination from greasy finger marks).
Whatever type of password or passcode you use I recommend adding in two-factor authentication whenever possible too.
And I hope that any developer taking on emoji security will be savvy enough to combine it with rate limiting and will store the codes securely, with the same care as any other type of password.
As for those of us who may end up using emoji passcodes, there is currently no way of storing them in a password vault so we’ll have to remember not to write them down, but they otherwise offer an interesting solution to securing our online accounts which, up until now, are protected with some of the shortest and least secure codes on the web.
Image of emoji passwords from Intelligent Environments.
Keith
I seriously doubt this will be safer and may actually be less safe than a properly selected password. It’s fairly obvious that people will pick icons that they associate with themselves. I think that a quick scan of the average person’s Facebook page will get you the, pitifully few, four icons.
I commute by bicycle so it’s a good guess that I would use the bicycle icon. I post on a local beer site so you wouldn’t be wrong to think I might choose the icon of the beer stein. That’s two out of four and you could get that by doing a quick google search on me.
Also, in the same way that people use common passwords there will be 10 sets of icons that a lot of people use and they will probably be the first four in the list (up, down, left, and right) unless Intelligent Environments intends to randomize the order every time you use them.
The article doesn’t say but I’m assuming these will be used over the network and computers don’t care about the pictures all they care about is the digital representation of that picture and there are only 44 of them. That’s less than upper and lower case letters combined.
I applaud the effort to make security easier for the user. I don’t think four pictures is enough.
Paul Ducklin
I’m with you. When someone tells me that an approach to password security based on modern-day stylised mini-icons is superior to using digits because it’s “anchored in my evolutionary history,” my bogoscience detector starts beeping.
This isn’t about picture recognition. It’s about remembering a sequence of objects. In my lifetime, I have much more commonly been called upon to remember and use sequences of digits than sequences of piddly little imagettes that look vaguely recognisable – think of ID numbers, passport numbers, credit cards, car regos, telephone numbers, those crummy bicycle locks you had when you were a kid, and so on.
Still, it’s worth a try, I suppose.
Anonymous
My concern with having emoji’s for a password is that if it is a lot easier for me and for the majority of people to remember a sequence of 4 pictures, so is for the person sitting next to me on the train, or the one standing behind me, let’s say at the ATM. Criminals can gather information from people’s phones by not even trying hard and simply by being near you; what book you are reading, your pictures, your FB posts, bank statements, etc.
I think it’s a novel and great as an idea, but not so sure about its practicality.
Mark Stockley
I think the principle challenge in password security isn’t to present an alternative to the “properly selected password” it’s to pull the huge numbers of people who don’t get close to properly selecting their passwords up off the floor.
This is designed to replace frequently used four, five or six digit numeric passcodes on mobile phone apps. A properly selected password would be superior to both a numeric or emoji passcode but is onerous to use on that form factor.
People choose bad passwords because passwords and passcodes are a bad design—they require us to do things our brains aren’t very good at.
Trying to change people to fit the design through education has made little if any difference over decades and most of the engineering effort goes in to finding alternatives, strengthening storage or dreaming up painful ways to enforce policies. Some fresh thinking on the basic design itself is long overdue.
Tom
Exactly my thoughts.
prkralex
Hackers will not be allowed to find common and easily obtainable numerical passcodes such as a date of birth.
The emoji passcode system was launched following research, which showed that most of the people in the UK find it hard to remember numerical passcodes.
A survey of more than 1,300 people revealed that nearly a third have forgotten their PINs before with one in four saying they use the same PIN for all their cards.
Paul Ducklin
Of course, the fact that 1/3 of people say they have forgotten their PIN at some stage doesn’t say anything about whether they are more or less likely to forget sequences of digits, letters, star signs, little pictures or musical tones at least once in their lives.
I accept that it’s possible that people are likely to choose bad PINs because of common “digit sequences” in our lives that we lean towards, such as birthdays.
But, as an earlier commenter pointed out, you can make the same argument about your life situation affecting your choice of emoji characters – his example was bicycles and beer.
OTOH, if emoji characters persuade even a few users to stop using 0000, 1234, 2580 or 5683 (LOVE), we’ll have got somewhere. I have a sneaking suspicion that the 4-character-choice problem will remain, with a few common sequences (e.g. SMILE FROWN LOVE WOW or LOVE BEER SMILE BICYCLE) being selected far more frequently than randomness would predict.
Kim Kaiser
The emoji password concept is not entirely based on simply selecting four images. It is selecting four images which tell a story, which we can remember. Password hints are for me incredibly difficult to remember unless I can pick the question. I do not know the answer to a lot of stock questions, sorry, I put more interesting stuff in my mind since childhood. And if you EVER worked in IT support worldwide the you know how impossible it can be to speak to another person many of the special characters. I do not think the path to security is by teaching the world the word asterisk or ampersand.
Paul Ducklin
You’re saying that it’s harder to explain what an “exclamation point” or a “question mark” is than to explain that the emoji you meant was the thing that looks like a baseball…no, that’s a *basketball*, no, not that one, that’s a football, ah, perhaps you know it as a soccer ball..no, sorry, there isn’t a cricket ball in the character set, it doesn’t support that yet :-)
What strikes me about emoji characters is how culturally specific some of them are, and therefore how unlikely some of the characters are ever to be used in some countries, even though they might very well be over-selected in others…
The word “asterisk” is common enough in English, and worth learning on that account, because the character is commonly used in written documents (notably adverts, where the asterisk typically warns you something isn’t quite as good as it sounds :-)…