Could semantic icons replace passwords and PINs?

Deep into an era dominated by mobile devices, it’s somewhat strange that users find themselves shackled to a password model invented for computers with full-size keyboards and screens.

Not surprisingly, entering password on a mobile device can be fiddly, not to mention the traditional problem of remembering lots of passwords or PINs and creating secure ones in the first place.

Pattern locks are a possible answer but come with disadvantages such as being easy to shoulder surf or detect using a smudge attack (detecting the grease prints left by fingers on a screen).

According to a new paper by researchers from Xi‘an Jiaotong-Liverpool University in China, we shouldn’t be surprised when research confirms that up to two thirds of mobile users cope with these inconveniences by abandoning passwords, PINs and even patterns to access their device, and simply hope for the best.

The team’s alternative – called SemanticLock – replaces passwords, PINs and patterns with a sequence of graphical icons which work semantically.

For example, the sentence “I eat breakfast with coffee” can be represented by four icons representing each word or concept in that sequence, which is easier to enter on a small screen than the equivalent alpha-numeric characters.

Theses icons can also be arranged quickly into the correct sequence from a palette of up to 20 icons in as few as two finger movements, the researchers claim.

So much for speed and memorability, what about security?

Conceptually, a sequence of icons should be as secure as a sequence of numbers, which is to say the security is the same as long as the palette of icons doesn’t lure people into using the same set of memorable sequences.

The position of the icons on the screen rotates over time which rules out smudge attacks.

In testing with 21 users, SemanticLock was slightly slower to use than patterns in some use cases but a bit faster than PINs. In terms of memorability, however, a chosen sequence was forgotten only 10% of the time as against 70% for patterns and 50% for PINs. Overall…

…comparing SemanticLock against other authentication systems, we discovered that SemanticLock outperformed the PIN and matched the pattern both on speed, memorability, user acceptance and usability.

On the basis of these results, one might assume that mobile device makers would be falling over themselves to implement SemanticLock, or something like it.

That assumption would be wide of the mark. Graphical and image-based authentication designs of various types are nothing new and yet today’s passwords still rely on alphanumeric characters, PINs and patterns.

The reason for this is that for all their drawbacks these designs got there first, a familiarity that makes shifting them extremely difficult.

Moreover, it’s likely that the sizable hardcore of users who don’t bother with today’s password, PIN and patterns would also ignore icons.

Meanwhile, smartphone makers have invested heavily in alternatives such as Apple’s Face ID. This isn’t perfect, but it’s at least as secure while being quicker and simpler than any system that asks users to enter data or perform an action to access their device. Perhaps then, passwords won’t be replaced by icons but by faces.