Deep into an era dominated by mobile devices, it’s somewhat strange that users find themselves shackled to a password model invented for computers with full-size keyboards and screens.
Not surprisingly, entering password on a mobile device can be fiddly, not to mention the traditional problem of remembering lots of passwords or PINs and creating secure ones in the first place.
Pattern locks are a possible answer but come with disadvantages such as being easy to shoulder surf or detect using a smudge attack (detecting the grease prints left by fingers on a screen).
According to a new paper by researchers from Xi‘an Jiaotong-Liverpool University in China, we shouldn’t be surprised when research confirms that up to two thirds of mobile users cope with these inconveniences by abandoning passwords, PINs and even patterns to access their device, and simply hope for the best.
The team’s alternative – called SemanticLock – replaces passwords, PINs and patterns with a sequence of graphical icons which work semantically.
For example, the sentence “I eat breakfast with coffee” can be represented by four icons representing each word or concept in that sequence, which is easier to enter on a small screen than the equivalent alpha-numeric characters.
Theses icons can also be arranged quickly into the correct sequence from a palette of up to 20 icons in as few as two finger movements, the researchers claim.
So much for speed and memorability, what about security?
Conceptually, a sequence of icons should be as secure as a sequence of numbers, which is to say the security is the same as long as the palette of icons doesn’t lure people into using the same set of memorable sequences.
The position of the icons on the screen rotates over time which rules out smudge attacks.
In testing with 21 users, SemanticLock was slightly slower to use than patterns in some use cases but a bit faster than PINs. In terms of memorability, however, a chosen sequence was forgotten only 10% of the time as against 70% for patterns and 50% for PINs. Overall…
…comparing SemanticLock against other authentication systems, we discovered that SemanticLock outperformed the PIN and matched the pattern both on speed, memorability, user acceptance and usability.
On the basis of these results, one might assume that mobile device makers would be falling over themselves to implement SemanticLock, or something like it.
That assumption would be wide of the mark. Graphical and image-based authentication designs of various types are nothing new and yet today’s passwords still rely on alphanumeric characters, PINs and patterns.
The reason for this is that for all their drawbacks these designs got there first, a familiarity that makes shifting them extremely difficult.
Moreover, it’s likely that the sizable hardcore of users who don’t bother with today’s password, PIN and patterns would also ignore icons.
Meanwhile, smartphone makers have invested heavily in alternatives such as Apple’s Face ID. This isn’t perfect, but it’s at least as secure while being quicker and simpler than any system that asks users to enter data or perform an action to access their device. Perhaps then, passwords won’t be replaced by icons but by faces.
mike@gmail.com
Remember the old password mechanism that relied on indicating certain portions of an image? I bet that could be brought back and do pretty well, if you included drawing patterns from area to area.
Steve
Please explain..?
Paul Ducklin
This:
https://nakedsecurity.sophos.com/2013/09/09/windows-picture-passwords-are-they-really-as-easily-crackable-as-everyones-saying/
I was never convinced by that system. Like those swipe-passwords on Android, where people tend to keep to a surprisingly narrow set of actions, so they’re easier to predict than you might expect.
delayedthoughtengineering
If the image were to be split up into multiple quadrants and scrambled around between each unlocking session, that might be OK. For static images, though, it’s all too easy to shoulder-surf (or even record from across the room!) a pattern used on a static image.
Unfortunately, splitting and scrambling image parts simply won’t work well with getting users to draw a picture on top of a picture, if the underlying picture changes all the time. Plus, to be more secure, you’d want more than just 4, 6, or 8 quadrants to scramble. The more picture bits to move around, the more security you’ll see. However, the human brain can quickly be overwhelmed with this added complexity. (E.g. “Did I draw from the left eye to the right pigtail? Or the right eye to the left shoulder?” “I circled the nose. Is that a nose or an elbow?”)
Geoff
Hi there,
This is the next step of authentication : replacing pre-shared keys (passwords) with challenge-response schemes (just like machine auth did 20 years ago). That is exciting !
PayPal is using biometric authentication (finger, eye…) whose secret patterns are into the phone HSM. It’s by far as a current user a blazing fast authentication mechanism for apps or phones. Using it for multifactor authentication (phone+biometry) places it at a good security level, isn’t it ?
R. Dale Barrow
Here it comes: Correct Horse Battery Staple
Anonymous remaining unknown
Thanks Mr. Dunn, this is part of what I’m learning in cyber security school/MASTERS IN BUSINESS.
WAY COOL.
DudeSweet
Password managers are pretty slick now, but maybe not ready for users a little more technology capable. Plus none currently support device unlocking. Most mobile devices support fingerprint authentication, though. Face ID might be OK (and better than Android’s and Windows’ facial recognition systems), but i’d rather have a fingerprint reader 100% of the time. I unlock my android phone via fingerprint. Whenever a website or app requires logging in my password manager pops up requesting my fingerprint to unlock. It then autofills the credential field (if the app supports it) or, worst case, lets me copy-paste into the fields manually. If only more Android apps supported Oreo’s new credential system…
I think using Apple’s keychain works similar, right?