Free-Form Gestures Could Be Passwords Of The Future

Peter Suciu for redOrbit.com – Your Universe Online

Security experts have long recommended that a “strong” password should be considered when using a PC, but the need for complex and hard to crack passwords has become even more necessary with the rise of mobile devices including phones or tablets. While hackers can try to remotely break into a system with mobile devices, users also need to watch out for prying eyes.

“All it takes to steal a password is a quick eye,” said Janne Lindqvist, assistant professor in Rutgers School of Engineering’s Department of Electrical and Computer Engineering, in a statement. “With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical.”

Studies have shown that traditional passwords based on alpha-numeric sequences could be difficult to remember but yet all too easy to be seen while being typed on a device. Clearly there is a need for more robust password security

The new Rutgers study, which was led by Lindqvist, found that free-form gestures – what we might think of as just “squiggly lines” – could be used to unlock phones and grant access to apps. These gestures could be made by sweeping one’s finger across the device’s screen to make a series of shapes.

[ Watch the Video: MobiSys’14 Video: User-Generated Free-Form Gestures For Authentication: Security And Memorability ]

According to the findings, these gestures could be less likely than traditional typed passwords, or even the newer “connect-the-dots” grid exercises, as each of those could be observed and subsequently reproduced by so-called “shoulder surfers” who might spy on users to gain access to a device or a website.

Lindqvist said that this could be the first of its kind study to explore how free-form gestures could be utilized as passwords. The researchers from Rutgers, along with collaborators from Max-Planck Institute for Informatics, including Antti Oulasvirta, and University of Helsinki, studied the viability of utilizing the free-form gestures for access authentication and found that this allowed for the ability to create shapes that could act as a form of password.

Since these shapes could be created without following a template the researchers predicted that this could allow the gestures to have greater complexity than grid-based offerings.

“You can create any shape, using any number of fingers, and in any size or location on the screen,” Lindqvist added. “We saw that this security protection option was clearly missing in the scientific literature and also in practice, so we decided to test its potential.”

During the study, the researchers tested the actual security of the gestures, which included having seven computer science and engineering students, each with considerable experience with touch screens, make an attempt to steal a free-form gesture password by shoulder surfing. The researchers said that none of the participants were able to replicate the gestures with enough accuracy, which they said suggests that gestures appear extremely powerful against attacks

The researchers also tested the ‘memorability’ of free-form gestures, and even developed a method to measure the complexity and accuracy that these gestures present as a password, yet some questions remain.

For one, “reliable ‘replicability’ would be a major challenge for most people,” said Charles King, principal analyst at Pund-IT. “In fact, I expect that the level of frustration would eventually be so high that extending the middle finger of one hand might become the gesture equivalent of ‘1,2,3,4’ in written passwords.

“It’s likely that the folks researching this have something more complex in mind,” King told redOrbit. “But if this succeeds and becomes commonplace, standing in line at the ATM could become the equivalent of visiting the Ministry of Silly Walks.”

The researchers on the project will publish their findings later this month as part of the proceedings of the MobiSys ’14 international conference in mobile computing.