Friday, October 20, 2006

Tactile Passwords could strengthen our security

There's an interesting article over at NewsScientistTech on "Tactile Passwords", a user need-to-know authentication method that relies in the sense of touch. This means that one doesn't have to type in or pronounce a string of characters or numbers, just remember a tactile pattern (or sequence of patterns) and select it upon challenge by a security system.

In detail, Braille-like devices (already employed by visually impaired people) are used to carry patterns to the user's fingertips. Then, the user must click (or somehow select) the ones corresponding to the unique sequence he was given by the Certificate Authority. It's like the machine is asking you "Is ABC your password?" and if it is, you answer "Yes". This may seem stupid at first sight but think about it.

No sensitive information is exposed on a screen or keypad but tiny pins under your fingertips, which only you (the person in contact) may feel and "read", perform the authentication process. Of course the sequence of patterns is randomized each time but that's a detail.

I believe this is a very interesting idea when it comes to safeguarding a critical point in user authentication: the one-factor (aka password) policy. Every time you type in your ATM PIN code or any other code for that matter you shield (or should do so) the keypad with your hand. Why? Because anyone standing behind you could see what you are typing. This is the same reason asterisks, instead of the actual password, appear on the screen. "Shoulder-Surfing" is a big headache to security experts. Could this be the end of it?

Of course I, being a little more paranoid, believe that any place where some stranger may stand behind you while typing a PIN code is not a safe place. He can always stick a weapon in your back and force you to type the correct code. As you can see, if you have to worry about someone observing your actions, you have to worry about even more serious things. Anyway, just giving some food for thought.

P.S.: If you can't picture the tactile authentication devices, check this out. It looks like a common mouse, doesn't it? :)

No comments: