Picture-password logins -- such as the verification process reportedly being considered for Windows 8 a part of...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
a two-factor authentication system -- are under scrutiny, as some claim the authentication method is easy to compromise. Should enterprises sidestep this mode of authentication, or is this judgment unfair?
Ask a question
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
Unfortunately, I agree that picture-password logins are a giant leap backward when it comes to security.
The main reason to criticize this approach is the fact that image-based authentication offers a limited number of choices. With most enterprise users now mandated to use passwords 8-15 character in length, passwords such as these are nearly mathematically impossible to break due to the large number of combinations. If a strong password has been selected with special characters as well as upper- and lower-case characters with numbers rather than a spouse’s name and birth date, it's that much harder for an attacker to guess or crack a user's password.
With picture-password logins, a user “swipes” their finger across a series of object selections in a displayed graphic, like a screen full of dolls or a crowd of people, creating a unique motion which is captured by the system. The next time the user logs in, they repeat the swipe of their previous selections and the system compares this to the captured motion to complete the authentication process. The problem is you can only put a finite number of objects in an image, especially considering some people have very large hands. For picture-password logins, the number of choices would be several tiers of strength less than that of even a six-character password. While this type of authentication has a certain fun factor, it isn’t the best way to verify a person’s identity as they attempt to login to a system.
Related Q&A from Randall Gamby
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses.continue reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most...continue reading
A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.