But the technology for mobile devices is a bit different. First introduced by SoftAva as PicturePassword for Treo in 2005, it worked through a two-step process. The user selected a picture from the software's built-in archive (the system couldn't accept a custom photo or picture), then selected a grid overlay and the number and location of taps on the picture with a stylus. If the user tapped the picture the right number of times in the right location, they were granted access. If they failed, they would be prompted for their regular password.
PicturePassword was eventually discontinued, but a similar technology was developed in 2007 by researchers at Newcastle University in the UK. In that system, the user chose a picture, but then had to draw a simple design on top of the background image. Since most people aren't artists, simple stick drawings were sufficient. The principle is the same as PicturePassword in that users have to remember their picture and then superimpose something with a stylus on top of the background picture.
The latest such technology is Origami Experience 2.0 from the Origami Project. It was released earlier this year at the Consumer Electronics Show. Origami Experience 2.0 is software for ultra-mobile PCs (UMPCs), which are about the size of a paperback book and run on Windows Vista. Like the PicturePassword software, the user taps on a background picture to gain access. So far, Origami Experience is limited to UMPCs.
The market for picture passwords on mobile devices is still quite limited. Another thing to consider is that, despite the ease of use, it's basically single-factor authentication. A picture password is basically a glorified password, which, with a bit more effort, could be shoulder surfed.
Since the technology isn't widespread yet, it's not on the radar screens of hackers, so it's too early to say how secure it really is.
- Learn more about trends in identity and access management.
- Should users set up password expiries in Active Directory? Read more.
This was first published in July 2008