Are squiggly lines the future of password security?
05 June 2014
Engineers are exploring the security and memorability of free-form gestures, which might one day replace passwords.
With all the publicity surrounding malware, the taking down of botnets and two-week windows to ensure our personal systems are better protected, it is not surprising that the need for robust password security has become more critical than ever. Now, in what they believe to be the first study of its kind, researchers are looking at free-form gestures, which may offer a viable alternative to typed passwords.
A new Rutgers University study shows that these free-form gestures – sweeping fingers in shapes across the screen of a smart phone or tablet – can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer 'connect-the-dots' style grid exercises to be observed and reproduced by 'shoulder surfers' who spy on users to gain unauthorised access.
"All it takes to steal a password is a quick eye," says Janne Lindqvist, one of the leaders of the project and an assistant professor in the Department of Electrical and Computer Engineering at Rutgers. "With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical."
In developing a secure solution to this problem, Lindqvist and the other researchers from Rutgers and collaborators from the Max-Planck Institute for Informatics and the University of Helsinki, studied the practicality of using free-form gestures for access authentication.
With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords. Since users create them without following a template, the researchers predicted these gestures would allow for greater complexity than grid-based gestures offer.
"You can create any shape, using any number of fingers, and in any size or location on the screen," Lindqvist explains. "We saw that this security protection option was clearly missing in the scientific literature and also in practice, so we decided to test its potential."
To do so, the researchers applied a generate-test-retest paradigm where 63 participants were asked to create a gesture, recall it, and recall it again ten days later. The gestures were captured on a 'recogniser' system designed by the team.
Using these data, the authors tested the memorability of free-form gestures and invented a novel method to measure the complexity and accuracy of each gesture using information theory. Their analysis demonstrated results favourable to user-generated, free-form gestures as passwords.
To put their analysis to practice, the Rutgers researchers had seven computer science and engineering students, each with considerable experience with touchscreens, attempt to steal a free-form gesture password by shoulder surfing.
None of the participants were able to replicate the gestures with enough accuracy, so while testing is in its preliminary stages, the gestures appear extremely powerful against attacks.
While widespread adaptation of this technology is not yet clear, the research team nonetheless intends to pursue its work analysing the security and management of free-form passwords in the hope that it might provide enhanced online security at some time in the future.
How to protect your systems
Robert Rutherford, CEO of business consultancy QuoStar has detailed ten essential measures businesses should take to ensure that they’re protected from the two current threats that have received so much publicity, and others like them, now and in the future.
Have a suitable backup system in place
It’s important to have your system not only backed up, but backed up to a time that you would be happy to start afresh from. If the worst happens and an old system back up is used, a lot of progress may be lost. If you work on the technical side, think RPO and RTO. It should also be noted that companies often keep recent backups on disk, you’d be in trouble if these also got encrypted by a virus/malware.
Ensure all endpoints have the latest security updates
Endpoints can include PCs, laptops, smartphones, tablets and specialised equipment. Obviously make sure that the technologies your employees are using stay updated with the latest security updates. If you have people ‘in the field’, ensure that you can also monitor their compliance.
With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords
Use a sensible business-grade protection system across the business
It’s impossible to monitor everything your employees are doing as it happens, so deploying the right antivirus or endpoint protection system throughout your business can provide a safety net.. A system with ‘zero-day attack’ protection is best; this will help keep your business safe from any threats that arise before the latest security update is available.
Use an appropriate firewall
A business-grade firewall will be your first line of defence against virus and malware attempting to enter your network. Again, an application layer firewall with zero-day attack protection is advisable to prevent newer, unknown threats before they can be patched.
Educate your employees on potential threats
Spending some time teaching your employees what to look out for and how to handle anything suspicious can greatly reduce the risk of malware finding its way into your business. It’s vital for an employee to be able to identify, for example, a malicious email or website link.
Restrict uncontrolled external devices
The best way to stay safe with external devices such as USBs and CDs is to restrict them completely. Despite taking every precaution, employees can still unknowingly harbour a virus or malware on their device and spread it throughout the system when they plug it in. If you need to give access then use device control systems to manage the risk.
Plan for disaster
Although it’s important to take precautions to prevent attacks on your business, it’s just as important to have a tested recovery plan in case a disaster can’t be averted. Ensure you know which business assets could be affected by a virus type attack and document the control and response. Be sure to store it off the network, as it may be inaccessible during an attack!
Restrict administrator rights
Be wary of giving users administrator rights on their computer; those without rights will be prompted to contact an administrator during certain processes which involve sensitive files, allowing a more authoritative decision to be made. Access, without the proper knowledge, can result in users letting in a virus or malware which may spread quickly through a system’s core.
Don’t stay logged in with administrator rights
For those with access to administrator rights, ensure that they aren’t permanently logged in with them. Users, often IT staff may have a moment of carelessness and facilitate the entry of a virus or malware. Make sure that these users only log on with administrator rights when they are needed to avoid unnecessary risk.
Be wary of unsecured wireless networks
Make sure you have controls in place to prevent users from connecting to unfamiliar wireless networks with appropriate controls in place. Unsecured wireless networks are an accident waiting to happen.
“Cyber threats are by no means a new problem for businesses, but these threats often proliferate through laziness and complacency," says Mr Rutherford. "Human error isn’t easy to account for, but preventative measures can be taken and systems installed to ensure that risks are negated.
"Having precautions in place for the worst case scenario is not only necessary to prevent a complete infrastructure meltdown, but also to address the root cause of such problems. Be sure that anyone with access to your business network is aware of the potential cyber threats and is able to identify anything malicious. Allowing users work on your network who are negligent or unaware of common scams puts your business at incredible risk.”
Contact Details and Archive...