Picture-password logins -- such as the verification process reportedly being considered for Windows 8 a part of a two-factor authentication system -- are under scrutiny, as some claim the authentication method is easy to compromise. Should enterprises sidestep this mode of authentication, or is this judgment unfair?
Ask a question
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
Unfortunately, I agree that picture-password logins are a giant leap backward when it comes to security.
The main reason to criticize this approach is the fact that image-based authentication offers a limited number of choices. With most enterprise users now mandated to use passwords 8-15 character in length, passwords such as these are nearly mathematically impossible to break due to the large number of combinations. If a strong password has been selected with special characters as well as upper- and lower-case characters with numbers rather than a spouse’s name and birth date, it's that much harder for an attacker to guess or crack a user's password.
With picture-password logins, a user “swipes” their finger across a series of object selections in a displayed graphic, like a screen full of dolls or a crowd of people, creating a unique motion which is captured by the system. The next time the user logs in, they repeat the swipe of their previous selections and the system compares this to the captured motion to complete the authentication process. The problem is you can only put a finite number of objects in an image, especially considering some people have very large hands. For picture-password logins, the number of choices would be several tiers of strength less than that of even a six-character password. While this type of authentication has a certain fun factor, it isn’t the best way to verify a person’s identity as they attempt to login to a system.
This was first published in March 2012