UI security topic: UI for private activities

Tue Jan 17 12:14:48 UTC 2012

On 17 January 2012 13:09, Thomas Pfeiffer <colomar at autistici.org> wrote:
>> for this i happen to agree a lot with him:
>>
>> http://www.networkworld.com/news/2011/122211-windows8-
>> authentication-254372.html?hpg1=bn
>>
>> 2 problems:
>> a) much easier to sneak than someone typing
>> b) it leaves a quite clear trace on the touchscreen surface
>
> c) The system that Windows 8 uses is just plain bad, because users tend to
> favor specific points on pictures,
> so these passwords are easy to guess anyway ;)
>
> This does not mean that graphical passwords are bad in general. Problem a)
> and b) are not problems specific to
> graphical passwords either. The common denominator of all authentication
> using a touchscreen is that if you can
> see the screen, you can see the user entering the password. This is a big
> disadvantage compared to hardware keyboards
> with masked password fields where just seeing the screen gives no
> information. But you always have that in a touchscreen,
> no matter what method you use.
>
> The system Windows 8 uses aggravates both of the above problems because
> users do large, easy to see movements on the screen,
> that leave clear traces.
> But that's not because it's a graphical system, it's because it is a bad
> graphical system.
>
>> I think it's an example of cool looking novelty, but not working in
> reality
>
> +1. This holds true for this specific system, but not for graphical
> systems in general.
> Take for example Passfaces
> (see http://www.youtube.com/watch?v=7hcTrqiaTRI ) which has the user pick
> a series of faces from a
> selection of them, with randomized positions.
> Problem b) is clearly solved with approaches like this.
> Problem a) still persists, but you can experiment with the size and
> position of the faces on the screen to
> allow users to cover their hand with their other hand in order to avoid
> their selection being seen.
> It's not much different from entering your PIN at an ATM.
> That does not mean that Passfaces in particular is perfect, it's just an
> example that not all graphical
> password systems have the same shortcomings.
>
> Just because Microsoft has - once again - shown to implement a good idea
> in a bad way does not mean
> we should abandon the original idea.
> Or is asking for a password for administrative options a bad thing in
> general just because MS screwed up
> so bad when finally trying it in Windows Vista? I don't think so.
>
> Or what about using the camera? Most tablets and smartphones have one, so
> why not using it for biometrical
> authentication, like iris recognition?

Not sure webcam is powerful enough to do a proper image of the iris.
And, for normal cameras, I guess it would be dead easy to have a photo
printout accepted instead of a real eye.

-- 
Cheerio,
Ivan

--
While you were hanging yourself on someone else's words
Dying to believe in what you heard
I was staring straight into the shining sun