Are squiggly lines the future of password security?

Jun 04, 2014
Researchers studied the practicality of using free-form gestures for access authentication on smart phones and tablets. With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords. Since users create them without following a template, the researchers predicted these gestures would allow for greater complexity than grid-based gestures offer. Credit: Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos; Rutgers University, Max-Planck Institute for Informatics and University of Helsinki.

As more people use smart phones or tablets to pay bills, make purchases, store personal information and even control access to their houses, the need for robust password security has become more critical than ever.

A new Rutgers University study shows that free-form – sweeping fingers in shapes across the screen of a smart phone or tablet – can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer "connect-the-dots" grid exercises to be observed and reproduced by "shoulder surfers" who spy on users to gain unauthorized access.

"All it takes to steal a is a quick eye," said Janne Lindqvist, one of the leaders of the project and an assistant professor in the School of Engineering's Department of Electrical and Computer Engineering. "With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical."

Lindqvist believes this is the first study to explore free-form gestures as passwords. The researchers will publish their findings in June as part of the proceedings of MobiSys '14, a premier international conference in mobile computing.

In developing a secure solution to this problem, Lindqvist and the other researchers from Rutgers and collaborators from Max-Planck Institute for Informatics, including Antti Oulasvirta, and University of Helsinki studied the practicality of using free-form gestures for access authentication. With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords. Since users create them without following a template, the researchers predicted these gestures would allow for greater complexity than grid-based gestures offer.

This video is not supported by your browser at this time.
As more people use smart phones or tablets to pay bills, make purchases, store personal information and even control access to their houses, the need for robust password security has become more critical than ever. A new Rutgers study shows that free-form gestures -- sweeping fingers in shapes across the screen of a smart phone or tablet -- can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer "connect-the-dots" grid exercises to be observed and reproduced by "shoulder surfers" who spy on users to gain unauthorized access. Credit: Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos; Rutgers University, Max-Planck Institute for Informatics and University of Helsinki.

"You can create any shape, using any number of fingers, and in any size or location on the screen," Lindqvist said. "We saw that this security protection option was clearly missing in the scientific literature and also in practice, so we decided to test its potential."

To do so, the researchers applied a generate-test-retest paradigm where 63 participants were asked to create a gesture, recall it, and recall it again 10 days later. The gestures were captured on a recognizer system designed by the team. Using this data, the authors tested the memorability of free-form gestures and invented a novel method to measure the complexity and accuracy of each gesture using information theory. Their analysis demonstrated results favorable to user-generated, free-form gestures as passwords.

To put their analysis to practice, the Rutgers researchers then had seven computer science and engineering students, each with considerable experience with touchscreens, attempt to steal a free-form gesture password by shoulder surfing. None of the participants were able to replicate the gestures with enough accuracy, so while testing is in its preliminary stages, the gestures appear extremely powerful against attacks. While widespread adaptation of this technology is not yet clear, the research team plans to continue to analyze the security and management of free-form passwords in the future.

Explore further: Personal touch signature makes mobile devices more secure

More information: The paper is available online at arxiv.org/abs/1401.0561

add to favorites email to friend print save as pdf

Related Stories

Operating a computer by gesture only

Mar 12, 2010

Operating computers without touching them, using only hand and arm gestures: it sounds futuristic, but it's already possible. Researcher Wim Fikkert of the Centre for Telematics and Information Technology of the University ...

Carnegie Mellon group shows iPad skeuomorphism

May 04, 2014

(Phys.org) —The Human Interfaces Group at Carnegie Mellon, led by the group's director Chris Harrison, an assistant professor of Human Computer Interaction, have done work that shows how traditional hand ...

Recommended for you

FIXD tells car drivers via smartphone what is wrong

10 hours ago

A key source of anxiety while driving solo, when even a bothersome back-seat driver's comments would have made you listen: the "check engine" light is on but you do not feel, smell or see anything wrong. ...

Watching others play video games is the new spectator sport

17 hours ago

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

User comments : 7

Adjust slider to filter visible comments by rank

Display comments: newest first

emb
5 / 5 (2) Jun 04, 2014
What shall we call this new method of personal squiggle identification? I propose we call it a 'signature', how does that sound?
Bob_60441
not rated yet Jun 04, 2014
Responding to: comment from emb. "Yep, sounds good to me". However any "signature" that can both ID and authenticate its source, needs (IMO) more then just an image, but something additional that is specific to a person, place, time, and an intangible. The latter is part of a signature that includes a persons POV and thats innate and absolutely unique.

Using "squiggly lines" to ID someone can be done using the same observations of someone doing what we define as making music. Cadence and tempo is remarkably unique to any one person, in any mood at any time. This is a (limited) example of an effect that allows one person to play music that makes you cry, and another playing that same song, makes you laugh.
Nik_2213
not rated yet Jun 04, 2014
Have you not noticed how writing & signatures often vary wildly with jet-lag, sleep-loss, exhaustion and caffeine content ?? And, yes, you'll need a back-up system in case you've caught your preferred hand in the car door, or sprained it tripping over a toy...
gopher65
not rated yet Jun 04, 2014
As ever, they're missing the point. This is just another type of password, and it doesn't solve the primary issue: password reuse.

If someone is using the exact same gesture (or password, or voice command, or fingerprint, or iris scan) for *Every* *Single* *Last* *Site* that they use, it doesn't matter how complex the gesture or whatever is. All it takes is one forum hack, and suddenly your bank accounts (that you use the same email and gesture to authenticate) are open to the criminals of the world.

Password reuse, not password complexity, is the real issue. I don't get how these nimrods don't understand that.
Kedas
not rated yet Jun 05, 2014
Guard the front door better, forget that the backdoor is wide open....
PinkElephant
5 / 5 (1) Jun 05, 2014
Blackberry already solved this problem, and quite elegantly at that:

http://helpblog.b...-10-2-1/

You can literally let someone video-record you entering a picture password, and they still won't be able to figure it out.

I guess some people just aren't that up on the news...
alfie_null
not rated yet Jun 05, 2014
How many years might this technique be good for? Technology isn't static. Something like Google Glass to get a video of the gestures. Some sort of finger robot to replicate them is not inconceivable.