Researchers are exploring whether drawing free-form wiggly lines and shapes on a smartphone or tablet screen could be used to replace typed passwords. When it comes to unlocking a mobile device, as long as it doesn’t have a fingerprint scanner like the iPhone 5S or the Samsung Galaxy S5, there’s no need to be a card-carrying member of Anonymous to gain access.
“All it takes to steal a password is a quick eye,” said Janne Lindqvist, an assistant professor in the Rutgers University School of Engineering’s Department of Electrical and Computer Engineering, New Jersey. “With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical.”
The majority of passwords are either four characters or, on Android devices, a join-the-dots pattern, neither of which are hard to replicate, but both security systems persist because they offer that compromise of increased safety without increased complication.
However, because our phones are storing more and more crucial information – everything from home address, bank account details and maybe even apps for controlling the car and even home systems — a team from Rutgers University including Lindqvist, plus collaborators form Germany’s Max-Planck Institute for Informatics and the University of Helsinki decided to conduct a first-of-its-kind study.
Can being able to draw multiple patterns and shapes, with multiple fingers across the screen be used to lock and unlock a device and; more importantly, if a pass ‘pattern’ would be easy to remember but more difficult to replicate than a passcode.
“You can create any shape, using any number of fingers, and in any size or location on the screen,” Lindqvist said. “We saw that this security protection option was clearly missing in the scientific literature and also in practice, so we decided to test its potential.”
To find out if free-form linear expressions were as easy to remember as the alternatives, subjects were asked to create a pattern and then recall it and then to recall it again 10 days later. The results were comparable with remembering traditional passwords.
To follow up, the patterns were put to the shoulder surfing test. The researchers recruited a team of computer science and engineering students with considerable touchscreen experience to act as opportunistic thieves but none of them were able to successfully replicate a free-form pattern accurately enough to unlock a device.
Testing is still at an early stage and although passwords will slowly move from text and numbers to biometrics such as the aforementioned fingerprint scanners, or voice print analysis, those types of features will only be available on premium handsets for some time to come.
Wiggly lines could well prove to be a simple yet secure stop gap for protecting mobile devices in general while biometrics trickle down from the most expensive devices to entry-level models.
In the meantime, the Rutgers University team will be presenting their initial findings at the MobiSys ’14 Conference on mobile systems, applications, and services on June 16 in New Hampshire, USA.