Sounds like a great way to remember your gesture. But it also sounds like a great way to pick an extremely obvious gesture (e.g. outline of the house) that someone else can guess. If your gesture is based on prominent features in the picture, that greatly limits the search space for an attacker.
Exactly. This seems even less secure than the Android "lock pattern" mechanism, which at least provides a grid of nine features and no obvious reason to choose any particular set. (Despite that, I suspect many people use the same patterns.) The examples given in the article provide little to no security, while giving a novice user the illusion of security. Ideally, this ought to have gone through extensive practical security testing: what pictures and patterns do users pick, and how easily can others guess those patterns?
I could understand the aversion to passwords if people had to remember a pile of them, but they don't. You only need to memorize one: the password to unlock your personal system. Can people really not remember one secure password?
>Can people really not remember one secure password?
Answer: No - and then you're asking to get fully compromised when the (good and secure!) password gets revealed from some service somewhere not following best practices.
No service should ever have your secure password. It should unlock your personal system, which can then remember all the (different, random, and secure) passwords or keys for any other service you use.
Your assuming the average users machine is secure. I don't think that's necessarily true. For most people, a list of common passwords stored under their keyboard is probably more secure than an encrypted file on their HDD.
Actually there's some solid research behind this. If I recall correctly, people naturally find it much easier to remember which parts of a picture to hit rather than remembering a password.
Unfortunately, I can't find the research and sample that I remember reading about a while back--Google is spammed with Windows 8 stuff when I search for it and I'm terminally lazy. However, I definitely recall reading about research in this vein.
Absolutely. Mostly the extra clicks though with the slide up. If we already have to swipe a pattern to unlock, make that picture show up as soon as you wake the phone.
The smudge hack is only relevant if you have a continuous swype on the screen. If you allow lifting your finger and poke several things you have limited this hacks effectiveness, as people may see where you poked but not the order. So "tap your dogs in a certain order" weakens this hack. Also it seems to assume you are doing nothing else n the phone. When I open the phone I generally do something which leaves additional smudges. So someone will not know if they are the password or activity.
Like it or not, I like the innovation. The best would be if you had a choice of lock screens and one chooses the style you like.
I think one way to mitigate the smudge factor is just to rotate the picture each time. I am willing to bet (despite being totally uninformed :)) that a person will remember where to touch on the picture rather than the screen, so rotating the picture will not make it much more difficult to enter the password.
As several comments suggested, we also considered shrinking the size of the image and displaying it at random positions and slight rotations on the screen to minimize any risk from smudges. We knew from usability feedback that decreasing the size of the image both increased the difficulty of properly entering the gesture and made the login experience feel less immersive; however, if there were a significant improvement to security, we wanted to consider the costs and benefits. What we discovered was that while shifting the image could reduce the buildup of smudges in specific spots, there were even more prominent “clouds” of taps, lines and circles that were identical relative to each other. With this information, an attacker could easily figure out the gestures relative to each other. With that information, it was a simple exercise to move them around the picture until they appeared to coincide with significant elements of the picture. There wasn’t a noticeable improvement in security and we were able to measure significant degradations to the fast and fluid user experience. In reality, using smudges is very difficult.
Because biometrics is the least secure and easiest to copy method of security.
There are three types: What you know, what you have, and what you are.
What you know is the most secure in theory, but suffers from the limitation on human memory. But it can not be stolen from someone without them knowing. (Yes I know it can be stolen from a device, but that a problem in implementation and not fundamental.)
What you have is very secure - except that it's possible for it to be lost or stolen, and possibly without the person even realizing (at least not at first).
What you are is the least secure - all the detected features can be copied remotely without the person even knowing that someone copied them, and can not be changed once copied.
Biometrics sounds very secure - but is actually very very insecure.
Lets say someone took your fingerprints off a glass or a light-switch or your car, is there any reasonable way to prevent this?
Lets also say that you somehow become aware of them having a copy of your fingerprints and you remember that your phone requires your fingerprints to unlock; what do you do?
It's the fact that you can't permanently change your fingerprints nor restrict access to them which make them bad for authentication. Those two qualities also make them good for forensics.
Isn't that assuming that the system will accept a copy of a fingerprint? Are you telling me that I could easily spoof the fingerprint readers in immigration control simply by applying some kind of copies of another person's fingerprints over my own?
Anyway, if copying fingerprints is possible, then they are useless for forensics, contrary to your final point.
> Are you telling me that I could easily spoof the fingerprint readers in immigration control simply by applying some kind of copies of another person's fingerprints over my own?
Yes, it's pretty easy. However the immigration officer might notice.
> Anyway, if copying fingerprints is possible, then they are useless for forensics, contrary to your final point.
Well, it is possible to copy them, and they are not useless, therefor your conclusion has an error. And that error is that forensics does not require certainty, they require evidence. Evidence is probabilistic, and accumulating various forms of it can eventually be convincing, but each piece on its own is insufficient.
Forgive me if this seems ignorant, but how is verifying a person's identity at immigration control different from verifying their identity when logging into their phone?
The main difference is automated vs human checked.
The next difference is that for authentication it's important to be able to change the password (as it were), and with biometrics that's impossible. Once copied an attacker has access forever.
But I do see your point, and there are a lot of things in common. But going back to your earlier post, just because immigration control does it that way doesn't mean it's best - it just means they don't have a better way.
You can't change biometrics, so once someone forges your identity they will always have access to anything that requires only biometric identification.
How does one forge biometrics? (Notice that I'm not asking how to spoof biometric readers with insecure designs, e.g., the one mythbusters busted).
Anyway, this is already the case – fingerprints are used as evidence of criminal liability. If someone forges my fingerprints, they could get me into a huge amount of trouble, in theory.
At the end of the day a finger or an iris is a physical object you can make. Since it's impossible to keep the "key" secret, you can always copy it and make one - how hard you have to work to make it depends on how good the design is, but fundamentally there is no secret and without a secret it's useless for authentication.
> If someone forges my fingerprints, they could get me into a huge amount of trouble, in theory.
Yes, they can, and sometimes they do. But it's not common enough for police to worry about it.
But let's admit that there's no such thing as a secret, really, and it's more about how difficult a thing is to reproduce or reverse engineer. I mean, everything about security is just a big game of "hide the ball" and the question is how many hoops one must jump through to find the ball.
Of course there are secrets. What you are trying to say is that system will let you do many attempts till you guess the secret.
But with biometrics there are no guesses - you know exactly what it should look like. There is difficulty in implementation certainly, but a basic principle of security is that each increment of difficulty in the securer (like a longer password) should increase the difficulty of the attacker by an order of magnitude.
At least in Apple's case, perhaps the problem is the added cost of the scanner combined with Apple's one-size-fits-all model (as opposed to offering different models, so fingerprint scanners only for those who need the extra security and don't mind the added cost).
Due to the limitations on mobile devices. Currently they have few hardware buttons, touch screen, microphone and maybe camera. Right now the options are bounded by these limitations.
Fingerprint or iris recognition would require additional hardware. Most of the customer probably would not be willing to pay extra for these. Also they might be difficult to implement well on mobile device. And the unlocking must be very easy to use and reliable.
A question that bugs me about these kind of locked phones: What about emergency calls?
I don't have a smartphone so I don't know how it works, but it seems from what I've seen that modern cellphones prevent people from using them for emergency calls unless they know the swipe/unlock code. Is that correct?
edit: just googled, looks like android and iphone have an 'emergency call' button on the lock screen. Fair enough.
It should be mentioned that this creates problems of its own. Toronto Police recently released their numbers, and 18% of the calls to 911 were pocket dials created by those "emergency call" buttons. We're talking hundreds of thousands of calls clogging 911 each year, each requiring the operator listen to the whole pocket dial, attempt to make contact, call back, and if no contact is possible, send a squad car to investigate.
I find it annoying that we're innovating different ways of doing the exact same thing: switching from completely locked to completely unlocked.
I want near-instant access to a notepad for jotting down thoughts. I want more locking for reading existing notes. Still more for accessing email. I want a strong lock protecting apps related to finances.
The simple lock (just to prevent pocket-dialing) should be like a slider. The intermediate lock could be this drag pattern thing (which is just a friendly version of the Android drag lock). The strong lock could be a coded sequence with buttons that change location.
I like that idea especially building it into the operating system. I also want to point out that you should be able to choose the level of unlocking based on your input to the first lock screen. Androids gesture unlock system would actually work pretty well for that
One of my absolute favorite iOS features in iOS5 before I switched to Android was the new "take a photo from the lock screen" button. I felt understood when they added that.
It's something they borrowed from Windows Phone 7, which has allowed you instant access to the camera (albeit via a mandated hardware button) while the phone is locked.
Is it just me that press the home button three times everytime I want the camera icon to appear? The first press is because that's how I do it all the time and then I remind myself that it actually takes two presses to make the icon appear. By the time I actually manage to make the camera appear whatever I wanted to shoot is usually gone. I really want an hardware camera button like on Lumia.
That's one of the things I loved about my N900 when I first got it. When you slide open the shutter, you're instantly in camera mode. No waiting, no unlocking.
