Most computer users would agree that passwords can be a real pain in the neck.
In an effort to reduce the hassle of passwords some people will try and standardise on one or two but inevitably end up with a handful depending on what systems or services they are trying to access. Of course we, the IT professionals, make it harder for users as we insist they create the most horribly complex passwords imaginable, on the basis that no hacker could possibly guess the secret combination of numbers, letters and cases being used.
The flaw to this allegedly secure password strategy is that the more complex you make a user's password the more likely they will be to write it down. Many have tried password recall strategies that use pass phrases or a similar approach but these are seen as an inconvenience by the users who just want to log into the system and get working.
After all, the password "GkwI4%hs283$)" may excite a security professional but it becomes a barrier to business for others.
When security becomes too visible it becomes obstructive and is therefore inclined to be switched off or ignored. Think of the numerous fingers that have been chopped off in factories by machines with their safety guards removed—these got in the way of a user's productivity and were discarded with horrible consequences.
The IT equivalent of a discarded safety guard is the written down password.
Secreted around the desk it can be found easily by those with intent. Underneath a mouse mat is a common hiding place, just like a door mat is used to hide a front door key. In fact the more secure a password appears to be to an IT security professional the more likely that users will be tempted to write it down. Research has shown around 40% of workstations apparently have passwords written down somewhere. My experience would suggest this is a conservative estimate.
Clearly something needs to be done, but what is this something?
Based in the UK, Tricerion have come up with a rather intriguing solution to the password problem using three products;
- SafeLogin for Web
- SafeLogin for Windows Enterprise
- SafeLogin for Windows Standalone
SafeLogin is designed to prevent account hijacking using techniques such as phishing, shoulder surfing and keystroke logging.
Normally a user would authenticate themselves to a service provider in a one way process. In a mutual authentication architecture the service provider needs to authenticate themselves back to the user to prove that the user is logging into the correct, unadulterated site.
Mutual authentication relies on the user working out if the service provider is all in order or has been hijacked by a third party. Clearly this is not always reliable due to the sophisticated nature of these attacks—in many cases even an IT security professional would find it hard to determine if the site was the original or not on first glance.
With the Tricerion SafeLogin approach login credentials can't be entered into a fake site as user authentication is managed by an external resource that acts as an independent credential checker for both parties in the equation. Tricerion call this triangulation as this service forms the third part of the user and website triangle.
So far so good.
The really interesting part of the Tricerion story is the use of picture passwords.
The core premise of picture passwords is that people are more inclined to remember pictures than text. This is called the "picture superiority effect" and has apparently stood up to 50 years of investigation by psychologists. In making the transition from conventional passwords to pictures users were found to be making fewer errors after a bit of practice.
The use of pictures also makes the sharing of passwords very difficult. Let's see why.
The user is issued with a password that comprises a set of images. The number and type of images can be set by the service provider. For example;
This could be remembered by a user as chapel/chair/coffee/world.
When presented with a login screen the user selects their pictures on the screen the same way in which they would select numbers or letters in a conventional password login screen.
Sharing of passwords is made more difficult as chapel/chair/coffee/world can describe any number of types of chapels/chairs/coffees or world each of which appear different. In fact the Tricerion picture bank has 160,000 images that provides a library of password icons. Organisations can decide to use these pictures or provide their own "house style" of images.
By being released from the conventional alphanumeric password characters the combinations of different picture types is, for all intents and purposes, limitless.
Shoulder surfing is made more difficult as trying to remember what type of chair or world was selected by the user is tough. The next time the user is requested to login they will receive another random selection of images with other types of chair or worlds causing the shoulder surfer real difficulties.
Interestingly another aspect of this security system is the appeal it has with marketeers that see the customisation of images and login screens to be a way of starting a brand dialogue right from the very start of a user's experience, rather than present them with a utilitarian login process before accessing the more compelling web service.
Have Tricerion hit on the Holy Grail of password protection and management? Certainly their approach has been patented as best they can as they believe they have hit on a really good idea. The reception to radically different approaches to something such as password management is always very cool and cynical as security professionals do their utmost to find a flaw in the offering. With the Tricerion offering arms quickly become unfolded as reviewers start to understand how picture passwords could be used in their organisation.
I am certainly intrigued and look forward to seeing how Tricerion advance their novel approach to password protection.