Could a doodle replace your password?

Nearly 80 percent of Americans own a smartphone, and a growing proportion of them use smartphones for internet access, not just when they’re on the go. This leads to people storing considerable amounts of personal and private data on their mobile devices.

Often, there is just one layer of security protecting all that data – emails and text messages, social media profiles, bank accounts and credit cards, even other passwords to online services. It’s the password that unlocks the smartphone’s screen. Usually this involves entering a number, or just laying a fingertip on a sensor.

Over the past couple of years, my research group, my colleagues and I have designed, created and tested a better way. We call it “user-generated free-form gestures,” which means smartphone owners can draw their own security pattern on the screen. It’s a very simple idea that is surprisingly secure.

An explanation of gesture-based passwords in action.

Improving today’s weak security

It might seem that biometric authentication, like a fingerprint, could be stronger. But it’s not, because most systems that let a user allow fingerprint access also require a PIN or a password as an alternate backup method. A user – or thief – could skip the biometric method and instead just enter (or guess) a PIN or a password.

Text passwords can be hard to enter accurately on mobile devices, with small “shift” keys and other buttons to press to enter numbers or punctuation marks. As a result, people tend to use instead PIN codes, which are faster but much more easily guessed, because they are short sequences that humans choose in predictable ways: for example, using birth dates. Some devices allow users to choose a connect-the-dots pattern on a grid on the screen – but those can be even less secure than three-digit PINs.

Compared to other methods, our approach dramatically increases the potential length and complexity of a password. Users simply draw a pattern across an entire touchscreen, using any number of locations on the screen.

Measuring drawings

As users draw a shape or pattern on the screen, we track their fingers, recording where they move and how quickly (or slowly). We compare that track to one recorded when they set up the gesture-based login. This protection can be added just by software changes; it needs no specific hardware or other modifications to existing touchscreen devices. As touchscreens become more common on laptop computers, this method could be used to protect them too.

Our system also allows people to use more than one finger – though some participants wrongly assumed that making simple gestures with multiple fingers would be more secure than the same gesture with just one finger. The key to improving security using one or more fingers is to make a design that is not easy to guess.

Easy to do and remember, hard to break

Some people who participated in our studies created gestures that could be articulated as symbols, such as digits, geometric shapes (like a cylinder) and musical notations. That made complicated doodles – including ones that require lifting fingers (multistroke) – easy for them to remember.

Simple, but still complex. Wikimedia Commons

This observation inspired us to study and create new ways to try to guess gesture passwords. We built up a list of possible symbols and tried them. But even a relatively simple symbol, like an eighth note, can be drawn in so many different ways that calculating the possible variations is computationally intensive and time-consuming. This is unlike text passwords, for which variations are simple to try out.

Replacing more than one password

Our research has extended beyond just using a gesture to unlock a smartphone. We have explored the potential for people to use doodles instead of passwords on several websites. It appeared to be no more difficult to remember multiple gestures than it is to recall different passwords for each site.

In fact, it was faster: Logging in with a gesture took two to six seconds less time than doing so with a text password. It’s faster to generate a gesture than a password, too: People spent 42 percent less time generating gesture credentials than people we studied who had to make up new passwords. We also found that people could successfully enter gestures without spending as much attention on them as they had to with text passwords.

Gesture-based interactions are popular and prevalent on mobile platforms, and are increasingly making their way to touchscreen-equipped laptops and desktops. The owners of those types of devices could benefit from a quick, easy and more secure authentication method like ours.

Janne Lindqvist receives funding from National Science Foundation (NSF), U.S. Department of Homeland Security (DHS) and U.S. Department of Education. He is a professional member of AAAS, ACM, IEEE and USENIX, and several SIGs of ACM and Computer Society and Signal Processing society of IEEE. This material is based upon work supported by the National Science Foundation under Grant Numbers 1223977 and 1228777. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.