Scribbles make surprisingly secure passwords, according to a new study.
That locking mechanism on your tablet computer or smartphone? It’s mostly a relic from the days of the keyboard. With the advent of touchscreens, the three-by-three grids and four-digit passcodes popular on today’s mobile devices are anachronistic. Yet they persist, despite “shoulder surfers” and the telltale oils left by swiping fingers.
A new study from Rutgers University suggests that squiggling—yes, squiggling—on the screen of your tablet or smartphone may provide a better authentication mechanism than the standard pattern locks favored by Google’s GOOG Android operating system and the Personal Identification Numbers (PINs) preferred by Apple’s AAPL iOS.
“The current locking and authentication mechanisms available for mobile systems commercially do not work so well,” said Janne Lindqvist, an assistant professor of electrical and computer engineering at Rutgers University and an author of the study. “Instead of having old methods or cued methods, we let people just generate gestures without any kind of visual cue or other kind of instructions.”
The studies’ researchers, which included collaborators from the Max-Planck Institute for Informatics and the University of Helsinki, asked 63 participants to scrawl “continuous free-form multitouch gestures,” essentially finger-painting on the blank touchscreen canvas of a Google Nexus 10 tablet. No grid, no template: the subjects improvised a pass-doodle, rather than a password.
The researchers then asked users to recall and redraw their scribbles after a short break and a bit of distracting mental math (counting down from 20 to 0 and rotating a shape in their minds). Next, the researchers retested the users’ memory after a minimum of 10 days. (Six subjects didn’t return for the second test.)
The trick—as with any good password—was to concoct a gesture complex enough to dupe spies yet simple enough to remember.
“You never need to be perfect,” Lindqvist said on reproducing a gesture swipe-for-swipe. “You can make a bit of errors, but not too much. It depends a lot on the security policy you want to implement.”
For instance, authentication for a mobile device might accept a higher error rate than one protecting a bank vault.
To verify matches, the team used a “recognizer” algorithm, which compared each gesture to a set of stored templates. The algorithm then calculated an average score for each attempt at unlocking. Gestures whose scores rose above a certain threshold value were authorized entry.
“You never can, in any case—with any kind of meaningfully complex gesture—repeat it exactly the same way,” Lindqvist said, noting that it takes at least three repetitions, or templates, for a gesture to become stable. (For improved accuracy, the study used 10 templates per participant.)
The researchers also used a flexible algorithm. Participants were able to draw anywhere on the device’s screen at whatever size and angle they wished, as long as the shape of the gesture was correct. Such flexibility may allow single gestures to adapt across platforms: for instance, on the larger screen of a tablet versus the smaller screen of a smartphone.
To measure each gesture’s level of security, the researchers imported a concept from Information Theory called “differential entropy.” This metric quantified the “information content,” or “surprisingness,” of a gesture. Generally, the most secure gestures were the most complex. Some of these looked like brambles, tumbleweeds or multi-faceted jewels.
On average the most memorable gestures were shorter and simpler than those best for security. Some of the most memorable ones included simple angular shapes, like triangles, and signatures.
The least-secure gestures consisted of gentle, looping circles.
Another measure of security involved a “shoulder surfing” test. Six student volunteers independently watched videos of another student performing three representative gestures. These “attackers” were then asked to replicate each gesture.
The preliminary results were promising. “None of the attackers came even close to the gesture,” Lindqvist said.
In fact, one attacker did nearly replicate one of the gestures—a backwards “N”—but did not come close enough for a “recognizer” to authenticate.
“Typing in a password seems to be an artifact of the past,” said Nasir Memon, professor of computer science and engineering at New York University, who was not involved in the study. “There is definitely a need to explore the alternatives.”
Still, even with the aid of muscle memory, one must question how confusing a world of security gestures might become.
“If you have three different gestures for three different accounts, how do you deal with that?” Memon asked.
In future studies, Lindqvist said he plans to instruct participants in best practices for generating secure and memorable gestures. He also hopes to expand the shoulder-surfing test. “I think that this robust alternative and a better alternative than the current method, and looking forward to working on this more,” Lindqvist said.
If the new tactic’s promise holds, the future of password security may look less like a keyboard and more like finger-skating. For now, though, the billions of people around the world using mobile devices must stick with their PINs and patterns.
“It holds potential,” Memon said. “But we’re still a long way from it being seriously adopted.”