How can you build a robust password policy?
Humans are optimized for image and pattern recognition, not the alphabet. That's why we start children on picture books, rather than War and Peace.
But passwords are several layers of abstraction for humans. There's the abstract characters themselves, then arranging the letters, numbers, and punctuation, into a non-word pattern, and then remembering the pattern. Passwords are designed to NOT play to human strengths.
In the days of ASCII terminals and command line interfaces, passwords made some kind of sense. But today, the primary online interface is a graphically rich mobile device.
So why are we still stuck with alphanumeric passwords? That's the question asked by Ilesanmi Olade et. al in the paper SemanticLock: An authentication method for Mobile devices using semantically-linked images.
The Big Idea
Instead of arranging arbitrary alphanumeric in a non-obvious -- and non-memorable -- string, start with a group of pictures and select some that tell a story that is meaningful and memorable to you. The story can be as simple as "I eat breakfast with coffee."
So when you unlock your phone, or, hopefully, a website, you just choose from a group of graphical icons to tell your story. Today's larger screens could accomodate 12-20 icons. As icons are used, other icons could take their place, expanding the number of possible combinations.
Here's a graphic from the paper to illustrate the concept:
The techniques most similar to SemanticLock are pattern based. Users drag their finger over a grid in a pattern that they've created.
Pattern-based authentication is faster than PINs, but are vulnerable to smudge attacks, where the the trail of finger grease on the screen reveals the locations. Location labels can be changed, so different patterns are required, but that sacrifices the speed advantage of pattern systems.
The researchers tested SemanticLock against PIN and Pattern authentication. They found that while Pattern gave the fastest logins, and PINs the lowest error rate, the memorability of SemanticLock stories was far superior, with only 10 percent of test participants unable to remember their passwords, far lower than other methods.
The Storage Bits take
Researchers have been exploring graphical passwords for more than a decade. What is novel about this paper's approach is the focus on memorability through stories, which plays to human love of narrative.
This study underscores the importance of the industry's work with fingerprint and facial recognition. Biometrics definitely simplify the mobile device authentication problem.
But it also shows how much more device vendors could do to replace passwords. What good are the best biometric authentication systems if they only get you to your phone's home page? Hello!
Courteous comments welcome, of course.
RELATED AND PREVIOUS COVERAGE
Microsoft wants to banish 'inconvenient, insecure, and expensive' passwords. So what's going to replace them?
A new, highly dramatic ad for iPhone X shows you how the phone is helpful. A side benefit is that you can cheat on memory challenges, too.
Google's Chrome 67 has new APIs for augmented reality and virtual reality, as well as support for WebAuthn spec.
The right time to tell me my password has been exposed is before I use it; this extension can help.