“When he reached the entrance of the cavern, he pronounced the words, “Open, Sesame!” The door immediately opened, and when he was in, closed upon him. In examining the cave, he was in great admiration to find much more riches than he had expected from Ali Baba’s relation. He quickly laid as many bags of gold as he could carry at the door of the cavern; but his thoughts were so full of the great riches he should posses that he could not think of the necessary word to make it open, but instead of “Sesame,” said, “Open, Barley!” and was much amazed to find that the door remained fast shut. He named several sorts of grain, but still the door would not open…”
– Excerpt from the book — ‘One Thousand and One Nights — Complete Arabian Nights Collection’
We all know how the story proceeds with the forty thieves returning to their cavern and decapitating Cassim’s head. Well, we may not lose our head if we forget our password (well, not literally, pun unintended). However, it surely annoys us greatly at times.
The question is, why do we forget our passwords often? The reason — crazy, outdated password set-up rules which annoy us every time we go through a typical sign up process. These password set-up rules, digress us from our memory paths while setting a password we want to remember easily.
They make us follow these antiquated rules to set something, which can be hard to recall later. It always annoys me to set a password, satiating the rules of the system and not what I want to set and remember. See the below example — 8 characters, uppercase, lowercase, numbers and symbols or special characters?
See this other example below, from ‘McAfee internet security’ signup form. It is redundant to mention that the password must be ‘between’ 8 and 32 characters long. ‘At least 8 characters’ would suffice. The probability of someone exceeding 32 characters is negligibly low. Why not optimize the copy for most used case scenarios? This could be a topic for another post, perhaps.
“The real question is, why haven’t our systems evolved to a simpler password solutions? Granting easy access to users, securing their data and providing better user experience over all?”
How are we suppose to set a password navigating through a complex set of rules and remembering it? Most people wouldn’t. They either use a simple password which they can remember or they would set the same password everywhere. By doing this they are contradicting the very ‘security’ set by these complex password set-up rules and making the system vulnerable. It’s only obvious to see the oxymoron here, more complex the password set-up rules, less secure the systems.
With the usage of technology and various devices, we are evolving constantly. While on one hand smart phones make us smarter, they are also responsible for our fading memories. They remember for us now. Our brain is unlearning to remember a phone number; because it knows it can retrieve that information from our mobile phone when needed.
However, passwords are a different matter; they are supposed to be kept a secret. How do smart phone addictive individuals remember complex passwords? well, they write them down. And for ease, they write them down on note pads on their smart phones or on desktops or even on post its. And stick them at their work stations or worse keep them in their wallets or wherever it is easy for them to find because we need them so frequently. This makes it easier for an hacker to steal your password. Defeats the very purpose of having complex, security, password set-up rules.
Is there a better system which can offer better security from this gullible situation? IMO, there is no clear answer to this question yet. However, we can slowly evolve into safer, secure, better and more importantly easier solutions. How you may ask?
The answer is right in our hands, in our existing smart phones. Hiding in plain sight, ready to be adopted — ‘Touch ID’ and ‘Pattern Locks’. Yes, why not use them in our signup and user onboarding processes? It’s a simple and great tool for better security and better user experience. Isn’t it?
I have been experimenting this idea in my UI deliveries with ‘Touch ID’. It is very easy to include touch ID in user onboarding. If user chooses to enable it during sign up, it aids them when they use login. It overcomes the inconvenience of keying in username and password in required fields at login. When user opts to login with touch ID, authentication tokens are exchanged between device and the app. The app can only get notified if the authentication was successful; it cannot access fingerprint data from the iOS Secure Enslave. Further, fingerprint scan is stored without any identity mapping, and only using encryption format readable by the system Secure Enclave. The nodal maps of your fingerprints are never sent to Apple servers, nor backed-up on iCloud or iTunes. Making the entire process very secure and robust.
So what’s the idea for Android devices?
For Android devices and devices without Touch ID, Android password pattern can work as a replacement. However, pattern passwords are not as reliable as Touch ID. A study done by University of Pennsylvania explores smudge attacks using residual oils on touch screen devices. This study investigates the feasibility of recovering full or partial pattern by capturing smudges on the password pattern of Android smartphones. Even with smudge ‘noise’ from simulated application usage or distortion caused by incidental clothing contact, this study shows password pattern can be recovered, fully or partially. This study definitely proves the vulnerability of Android pattern locks against Touch ID.
Touch IDs or Pattern locks are a small step towards a bigger goal of secure and user friendly authentication processes. They surely pave way for many more innovative, smart systems to make our data and life more secure.