log in
Evolving Gestures as Progressive Passwords
2012-01-22 00:26:59

Evolving Gestures as Progressive Passwords

I know nothing of gesture recognition algorithms, but here is an idea:

A common concern about gesture-based password entry is that, much moreso than typing on a keyboard, it's easy to spy on gesture entry. I propose beating this by having each successive entry of the pass-gesture require modification, based on the previous entry of it: e.g. the user must draw the hands of a clock indicating 5 minutes past the hour, and each time the user enters their pass-gesture, the 'hour' in question is incremented by 1. To set up such a password, the user enters the gesture 3 times in 3 successive states (in the example where the user chose a clock face, 12 o'clock, 1 o'clock and 2 o'clock should do), which will provide enough information to do both linear and rotational transformations.

The great advantage to this is that, in order to determine what to enter as the user's pass-gesture, a spy would need to see the entry process 2 or 3 times to, again going back to the clock-face example, determine if the clock is running forward or backward, and by what increment, or even which hand is moving.

But the user need not be limited to clocks: signatures that have portions which change scale, skew, or even reflect horizontally or vertically could be possible, all with a 2×2 matrix for transforming each vertex of the original pattern.

Remembering any sequential or evolving authentication information requires a considerable amount of effort on the part of the user, so naturally this system would only be appropriate for high-frequency (thus low remembering burden between uses), critical systems like a classified workplace. Also, like any gesture recognition system, there would need to be a 'fuzz factor' that tolerates a certain degree of error in gesture entry. But these problems are readily overcome.

Side-question: has anything like this been considered before? What about cycling passwords in general? (Surely someone thought of that before two-factor authentication. What was it called? Was the burden of remembrance too great to make it practical?)
Samantics comment   8452.136 tgc / 2012.056 ce