Slipsliding Away From Passwords

Tell me a story!

Everybody hates passwords, because there so many of them and keeping track is tricky. And of course we all know that passwords are inherently insecure, so we would all be better off with something else. Nowadays, there’s another reason to hate password, namely the perfusion of smartphones and other mobile devices with itsy-bitsy, teeny-weenie keypads that make typing in long, complicated passwords a real pain.

Lots of people have spent lots on time trying to come up with alternatives. Biometrics? Smartcards? Keystroke recognition? Voice recognition? You name it, somebody’s done it, but so far no one has come up with anything simple and foolproof enough to convince the IT industry to shift paradigms.

One of my favorite quick fixes to the password dilemma has always been “Passfaces”, a system used, among others, by members of the U.S. Congress. It involves memorizing a certain number of faces and later picking them out of a matrix of other faces you’ve never seen before. Politicians, it seems, are especially good at remembering a face, so for them the system is ideal. Not so for normal people, as a study by the Department of Computer Science at University College London showed. “Passfaces took a long time to execute”, the authors wrote, “and participants consequently

started their work later when using Passfaces than when using passwords, and logged into the system less often.”

Okay, so maybe Passfaces aren’t such a great idea after all. Which brings me to a conversation I had recently with Christoph Althammer of a tiny German starup called Qintecs. Based in the medieval cathedral town of Regensburg on the Danube, Althammer and his friend Martin Kühnel have come up with something they call “3SID”, which at first glance looks like a spittin’ image (no pun intended) of Passfaces, but isn’t. In fact, it’s an ingenious way to avoid the need for passwords in smartphones and other devices equipped with a touch screen.

The way it works it like this: The user shoots photos with the built-in camera of his or her device and then concocts a little story. For instance if I have a picture of my wife, my daughter and, let’s say, Moran’s Oyster Cottage in Galway, Ireland (yes, I just got back from vacation, why do you ask?), the story could be: “I went with Gabi and Valerie to Moran’s” By sliding the appropriate picture over the previous one, you create a pattern which unlocks the device. Okay, it sounds a lot more complicated than it is, believe me.

Technically, the concept is very appealing because it doesn’t involve simply substituting a picture for a character or set of characters. The system actually uses the vectors generated on the touch screen to create a hash value which is then used as the identifier. All those Murdoch reporters using script kid tools to unlock people’s mobile phones don’t stand a chance of getting in by simply trying out all the possible combinations. You would have to actually look over my shoulder to see which picture I am pushing and where I’m pushing them, which would be tricky if I am using four or five images.

It took me about 10 seconds to get the trick, so I guess anybody could do it. And all I needed was my thumb, so I could probably do it while driving (although I don’t suggest anyone should).

But how do I reset the system if I forget my little story line, I asked Althammer. He beamed at he and showed me what I think is a really neat idea: Users are provided with a card containing an OR Code which looks like a square bar code. All you have to do is take a photo of the code marker with the built-in camera of your smartphone, type in a password [sic!], and you’re off to the races.

Frankly, even if §SID doesn’t cath on the way it’s inbvestors would like, I think the OR Code idea deserves some attention by identity experts. Why didn’t I think of that?

Anyway, Althammer and his backers have secures a patent on their investion, and they’re actively looking for investors, so if you, too, hate passwords and would like to make a mint of money providing an alternative, maybe you should gibe them a ring. You can reach him at

Dieser Beitrag wurde unter Das digitale Ich, IT Security, posts in English abgelegt und mit , , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.