Will emoji passcodes put a smile on your face?
Naked Security Naked Security

Will emoji passcodes put a smile on your face?

UK firm Intelligent Environments has developed an emoji alternative to numerical passcodes used in online banking.

Will emoji passcodes put a smile on your face?A British company has launched an emoji-based alternative to numeric passcodes used to access online bank accounts.

Intelligent Environments says its system, which uses emojis chosen from a pool of 44, is easy to remember and harder to crack than a normal passcode.

The reason it should be harder to crack is because there are so many more possible combinations of characters; there are 10,000 possible combinations of four digits compared to just under 3.75 million combinations of four emojis.

Numbers vs pictures

The company says its decision to create an authentication system based around emoji was in response to research suggesting nearly a third of British bank account holders had forgotten their PINs in the last year, and that one in four UK bank account holders used the same PINs across all of their bank cards.

Based on additional research from the National Academy of Sciences, they determined that emojis are likely to be much easier to remember because humans are far more adept at recalling pictures than numbers or letters.

Other research, most notably the picture superiority effect – itself influenced by the dual-coding theory developed by Allan Paivio – appears to back up such an assertion, suggesting that images provide both a visual and verbal cue, thereby doubling the chances of recall.

A press release from Intelligent Environments, who develop multi-platform software for financial services, quotes memory expert Tony Buzan, inventor of the Mind Map technique, who said:

The Emoji Passcode plays to humans' extraordinary ability to remember pictures, which is anchored in our evolutionary history. We remember more information when it's in pictorial form, that's why the Emoji Passcode is better than traditional PINs.

The world's first Emoji passcode from Intelligent Environments on Vimeo.

Of course, using emojis to log into your online bank account isn’t for everyone and any move to the system is, we presume, likely to run in tandem with traditional passcodes.

Emoji is claimed to be the fastest growing language in the UK.

Intelligent Environments’ managing director, David Webber, says he thinks the company’s emoji security technology could be a hit with younger people:

We've had input from lots of millennials when we developed the technology. What’s clear is that the younger generation is communicating in new ways. Our research shows 64% of millennials regularly communicate only using emojis. So we decided to reinvent the passcode for a new generation by developing the world's first emoji security technology.

Whether such a system will be an equally big hit with the banks remains to be seen, but it could offer a potentially stronger system that the traditional four-digit PIN.

Storing and reusing passcodes

Sure, there are some potential drawbacks – we know all too well that many people reuse passwords and PINs everywhere they go and if emoji passcodes prove popular they’re unlikely to be any different.

Organisations who want to implement emojis for authentication could head off the dangers of passcode reuse by ensuring that their application uses a proprietary set of pictures.

Even if they do, it’s important that users don’t abandon good password discipline.

We know that too many people use PINs of significance (dates of birth, for instance) and weak passwords such as “password1” and “123456”. It remains to be seen how users will unintentionally abuse the emoji grid – but if they can, they will!

Lots of users will probably pick rows or columns of emojis, if they can, so banks would be well advised to randomise the order they appear in (which would also stop thieves guessing the combination from greasy finger marks).

Whatever type of password or passcode you use I recommend adding in two-factor authentication whenever possible too.

And I hope that any developer taking on emoji security will be savvy enough to combine it with rate limiting and will store the codes securely, with the same care as any other type of password.

As for those of us who may end up using emoji passcodes, there is currently no way of storing them in a password vault so we’ll have to remember not to write them down, but they otherwise offer an interesting solution to securing our online accounts which, up until now, are protected with some of the shortest and least secure codes on the web.


Image of emoji passwords from Intelligent Environments.