March 7, 2006— A password that uses images instead of numbers could give some people access to secure information on personal electronic devices or at ATMs within the next year.
The image authentication system uses a pair of digital images instead of a string of numbers to make logging in simple for the legitimate user, but difficult for impersonators.
“It is expected that many of the conventional user authentication systems would be able to be replaced with our scheme, since recognition of images is significantly easier for human beings than precise recall of passwords,” said team leader Masakatsu Nishigaki, a professor of informatics at Shizuoka University in Japan, where the system is being developed.
According to Nishigaki, people often use four-digit number passwords or easy-to-remember passwords, such as a name or birthday, to access information on cell phones, PDAs, Web sites, and financial accounts at ATMs.
What’s more, they often use the same password to gain access to several different location and rarely do they change the secret string of numbers.
That makes an otherwise secure system vulnerable to password cracking programs, which are designed to retrieve lost passwords but are also used by thieves to gain unauthorized access to accounts.
Nishigaki and his team propose a system that uses one clear and easily recognizable image and another that is a highly pixilated, unclear version of the original.
When creating a new password or changing an old one, the system provides the legitimate user with the clear image. But during the authentication phase, the system shows the user the unclear image, along with a number of decoy images.
To the user who holds the clear version, the unclear image is easy to pick out. But to an impersonator, finding the correct image becomes difficult.
Depending on the security level and to avoid an unauthorized person from clicking on the correct image by chance, the system can be designed to display a higher number of decoy images or to present the user with more than one round of image selection.
That security measure could also be a flaw in the unclear image system, said Tetsuji Takada, a researcher at the National Institute of Advanced Industrial Science and Technology in Tokyo whose team is also working on a photo-based authentication system.
“The solution significantly decreases the memorability of pass-images,” said Takada. “There is a problem getting a better balance between security and usability in user authentication.”
Takada’s solution is to allow users to use their own photos, which would increase the chances that they would remember it. That photo is displayed among other decoy images in a group randomly selected by the computer.
For added security, the computer may display a group of photos that does not contain the pass-image. In that case, the user can answer “no pass-image.”
An unauthorized person might continue to guess at the correct photo and give himself away.
Both groups are working toward an effective system. Takada’s team will present new research findings at a conference this May.
Nishigaki’s team recently filed for a patent and has been approached by at least one Japanese company that has expressed an interest in applying the system to their product.