What if we used graphical passwords for authentication?
I was recently reading up about how passwords are easy to crack today and how many of the cybersecurity attacks start off with a compromised password when I stumbled upon Graphical Passwords and its potential. The idea of doing away with having to memorize your alpha-numeric password(s) is intriguing and relieving. I would no longer have to worry about trying out permutations of my password to login to each application individually after getting a new phone. I also don’t have to resort to clicking on Forgot Password after failing to guess the password.
Graphical passwords are a method of authentication where a user uses images that serve as passwords instead of textual, alpha-numeric passwords. At the time of setting up a password(New Password and Confirm New password), the user selects points on an image, or a set of images that act as unique characters to represent the user. An everyday example of a basic graphical password is the pattern lock password on your mobile lock screen, where you click a set of points in a set sequence for authentication. But graphical passwords are not just limited to this.
What really left me impressed about the potential of Graphical Passwords is the wide number of problems it attends to.
- Humans are visual creatures who process and recollect visual cues better than most other forms of data and graphical passwords leverage just that. Not having to memorize or write down a complicated, hard-to-guess password can be liberating!
- Graphical Passwords offer a wider and broader space for passwords and are not limited to alpha-numeric permutations. (Take a 1024X768 pixel image, and there are so many combinations of data points that your password can be comprised of.)
- They also address the problem of keystroke logging.
- They also stand strong against dictionary attacks and social engineering.
Graphical passwords can be embedded in Multi-Factor Authentication in ways more than one.
For one, it can replace numeric One Time Passwords with graphical passwords. The computer screen could show an image as the password space, and your mobile phone/email could receive the same image with highlighted points that serve as the one-time password that should be clicked on the picture displayed on your computer.
Graphical passwords can also be used in a recall-based technique as the first layer of authentication where a user either a) selects a number of points in a specific order in an image of her choice (single-image approach), or b) selects multiple images of her choice in a specific order (multi-image approach).
It can also replace CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the additional layer that verifies that the user is a human. This is because graphical passwords end up verifying this by involving human interaction, without getting the users frustrated from attempting to crack the CAPTCHA for the 7th time in a row.
But beyond these, Graphical Passwords can also be extremely powerful when combined with Gaze Tracking. It is definitely more expensive to implement today, considering the costs involved in buying equipment that need to be in place for these to work.
Graphical passwords with gaze tracking can serve as a second layer, with iris scanning as the first layer of authentication for an ecosystem that protects critical information. Iris scanning, in rarer cases, has been known to falsely authenticate users when presented with a very high-resolution picture of the eye. Gaze Tracking in such cases can help verify that the person authenticated is indeed live. Gaze tracking also makes the authentication system more robust to shoulder surfing/peeping attacks especially since graphical passwords alone can take up larger screen space (when compared to textual passwords), which makes them more prone to shoulder peeping. Entering your password (clicking the points on an image ) can be done via gaze, eliminating the need for clicking points using a cursor.
Take our phone pattern passwords for example — It was no surprise your younger sibling was able to unlock your phone even though you never told him your password!!
The flow could be as simple as:
- Verify the identity of the user using iris scanning
- Have the user enter his password using his gaze, where a gaze tracking equipment captures exactly where the user is looking.
This can be challenging since this requires is a very accurate mechanism to track gaze, especially since on-screen feedback should be turned off to avoid peeping attacks.
It goes without saying that even though these innovative and creative authentication methods look promising, there are cost, time, and technology considerations that need to be taken into account when making a decision.
- Are we willing to accept a slightly longer log-in time in exchange for a more intuitive method that has a lower error rate?
- Is the information we are trying to protect critical enough for us to invest heavily in gaze tracking equipment?
- Do we want the MFA to involve an additional hand-held device?
- Should it be implemented across the organization, or should it be implemented for select people in the organization who have high visibility, are granted high level of access and are most often targeted?
There are many more questions one needs to ask before narrowing it down to the variation of graphical passwords most suitable for the use case at hand!
While I am no security expert, I would love to see where MFA is headed with so many credible solutions in the making today!
