At last week’s AT&T Cyber Security Conference in New York, NYU-Poly computer science professor Nasir Memon discussed some of his latest research into touch-based authentication for mobile devices as a possible replacement for traditional text-based passwords.
Because mobiles are increasingly used to conduct financial transactions and store sensitive data, coupled with the fact that they are far easier to misplace, Memon said we need more rigorous forms of authentication on these devices. You can’t rely on whoever finds it to track the owner down, the NYU-Poly professor quipped, and the time lag between when an enterprise device is lost and actually reported to the IT department is a crucial window where data can be leaked – if proper authentication mechanisms are not in place.
Current practice is to enter a four-digit PIN or text password. “It’s a pain in the neck to enter a complicated password on a touch screen”, Memon observed. It becomes even more painful, he added, if users need to enter a complicated password on a touch screen, such as those with a combination of upper and lowercase letters, numbers, and/or special symbols.
Solutions such as Android’s touch patterns are a first-step in this new direction, yet it is far from completely secure, Memon said. “The main problem [with this] is that people tend to use very simple patterns and it is observable”, he noted, adding recent research has shown that smudges left on the screen of mobiles using touch-based patterns can aid in deciphering the pattern.
Moving back to the text-based password, Memon said the problem with its continued use was that this authentication scheme was designed for devices with traditional keyboards, and not touch-screen interfaces. Therefore, something better is needed that “naturally suits” the new way we interact with these devices.
One solution is the multi-touch gesture, as opposed to simple touch-based patterns. Using an iPad, for example, Memon said factors such as gesture speed and the distance between someone’s fingers could provide for an easy, “reasonably accurate” method to authenticate a user. Differentiating characteristics, such has hand size, shape, and geometry “would provide enough information that would allow us to distinguish people”. He warned that it may not work for the entire global population of seven billion people, but could be used to accurately authenticate a person among a smaller subset of users.
“Security and usability must be aligned in order to be effective”, Memon said, therefore organizations looking to make use of multi-touch gestures must account for the fact that the gestures should be viewed as “more fun, exciting, or more pleasing to use” than traditional passwords. Examples include a simple swipe across a touch screen, or the opening/closing of fingers to zoom in or out. In all, he tested 22 gestures that could be employed to determine which were the most “pleasing” for users and how secure they were.
Authentication accuracy depended on the type of gesture, according to the research. “The ones [touch gestures] that are the most pleasing are also the ones that have the highest amount of distinguishability”, said Memon of the results – findings he found to be positive for the feasibility of multi-touch gestures.
“It’s time to start exploring alternatives to passwords”, the NYU-Poly professor declared. “The interface is changing, and this is the right time to look for alternatives. I’m not saying that this [multi-touch gesture] is the alternative…but when looking into alternatives, we can now try to take usability into account.”