Plain text, sticky notes and public places are the undoing of any password, and that is why a trio of researchers is looking into vibrations, sounds and lights as a means to make authentication to shared or personal devices invisible.
The focus is on haptic (touch sensory) inputs and sounds as a means to shield passwords from observation-based attacks in public places. A user's pin ends up being a series of cues.
The "invisible password" theory and prototypes are outlined in a research paper entitled "Open Sesame: Design Guidelines for Invisible Passwords" that was written by Korea Advanced Institute of Science and Technology researchers Andrea Bianchi and Dong-Soo Kwon, and University of Madeira (Portugal) researcher Ian Oakley.
Bianchi develop the idea three years ago when he began working on his Ph.D. His work in a robotics lab specializing in haptic interfaces led him to believe they had other applications.
"It struck me the idea that haptics, at its core, is an invisible modality that could be used for "invisible" communication channel between machines and humans," he said.
The authentication systems are targeted at public machines, such as ATMs or electronic door locks on buildings or cars, or for smartphone passwords.
The researchers say invisible inputs and outputs could put an end to shoulder surfing or spying cameras, when a user is entering a PIN or password.
There are two basic interaction methods used: recognition techniques, a set of encoded data that the user recognizes, and counting techniques, where the user counts cues and associates them with an action.
The haptic system uses vibrations with different intensities, rhythms, frequencies and patterns to create an "alphabet of cues" used to set up passwords and then repeated for log-in.
Audio inputs use a sound, beeps or a voice calling out numbers. The trio says the audio inputs are best secured with headphones or earbuds.
The haptic inputs include a three-key pad that vibrates, a hardware selection wheel and a touch-screen wheel (see photo) for mobile devices. Inputs also include colored buttons and something called Spin Lock, which uses a series of clicks and works like a combination on a safe.
The trio has put together a video showing different prototypes and input methods, including the keypad, haptic wheel, phone lock, video spin wheel, time lock and a color lock that associates numbers and colors.
In 2009, Bianchi published a paper on his haptic ideas at the Human Computer Interaction (HCI) conference. At the conference, he met Oakley, who helped him develop interfaces beyond Bianchi's original keypad, which attached to a computer.
"I realized that the extra-level of security we provided to users was not justified by the loss in usability," said Bianchi. With the haptic keypad, he said, it took more than 20 seconds to insert a password along with the effort of just remembering it.
Bianchi and Oakly set about developing other interfaces.
First was a haptic wheel, a hardware device the user turned to select various cues. Bianchi, however, thought the hardware was a gating factor to adoption so an iPhone interface was developed called Phone Lock, which uses a grid of "icons" that when touched activate a specific pattern using the vibration motor in the phone.
The pair then developed a method to count haptic cues, which led to an interface called Time Lock. Eventually, password entry took less than 10 seconds and error rates among first time users dropped to between 2-7%.
Bianchi says haptic systems from the past have been multimodal and have had error rates beyond 50%. The system outlined in the trio's research is unimodal and a "pure haptic password."
The trio has patented their systems and is working to find companies to partner with them on development.
They are also working on techniques to foil shoulder surfing and on other methods of password input beyond haptics that are smartphone based.
"The idea is to shift the complexity of passwords from a terminal to a private devices (e.g., phones), by finding ways to securely transmit a password from the private device to a terminal," says Bianchi.
The idea uses flashing lights on the mobile device or micro-magnetic fields that can be picked up by a hardware reader. Bianchi calls it LuxPass (video). A user would enter a code on the phone and place it on the reader, the code would activate a sequence of flashing lights to transmit the password.
"The challenge is not using any type of wireless - RFID, NFC, wireless, Bluetooth - or public-key infrastructure, so as to avoid both a man-in-the-middle attack or pairing before usage," said Bianchi.