Picture-password logins -- such as the verification process reportedly being considered for Windows 8 a part of...
a two-factor authentication system -- are under scrutiny, as some claim the authentication method is easy to compromise. Should enterprises sidestep this mode of authentication, or is this judgment unfair?
Ask a question
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
Unfortunately, I agree that picture-password logins are a giant leap backward when it comes to security.
The main reason to criticize this approach is the fact that image-based authentication offers a limited number of choices. With most enterprise users now mandated to use passwords 8-15 character in length, passwords such as these are nearly mathematically impossible to break due to the large number of combinations. If a strong password has been selected with special characters as well as upper- and lower-case characters with numbers rather than a spouse’s name and birth date, it's that much harder for an attacker to guess or crack a user's password.
With picture-password logins, a user “swipes” their finger across a series of object selections in a displayed graphic, like a screen full of dolls or a crowd of people, creating a unique motion which is captured by the system. The next time the user logs in, they repeat the swipe of their previous selections and the system compares this to the captured motion to complete the authentication process. The problem is you can only put a finite number of objects in an image, especially considering some people have very large hands. For picture-password logins, the number of choices would be several tiers of strength less than that of even a six-character password. While this type of authentication has a certain fun factor, it isn’t the best way to verify a person’s identity as they attempt to login to a system.
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.