For several years, Rutgers Univ. Prof. Janne Lindqvist has studied various aspects of smartphone security and privacy. As smartphone technology advances, the average layperson is putting more trust into the device. Email, banking, and social network accounts represent just some of the sensitive information people store on their smartphones.

The security protection is usually a text-based password.

New research from Lindqvist and his Rutgers colleagues has found that free-form gesture passwords—passwords that are drawn with fingers—may provide a more secure alternative to text-based passwords. The research, available online, will be formally published in May at the Association for Computing Machinery’s Conference on Human Factors in Computing Systems.      

“Typing on a smartphone or even a tablet is hard, in particular when you are mobile,” Lindqvist told R&D Magazine. “Thus, people tend to do simple passwords or PINs to protect their phones. Our research indicates that gestures allow people to create and recall even complex gesture passwords fast, because you can just do it on the touch screen with one or multiple fingers.”

The Rutgers team studied how 91 participants utilized free-form gesture passwords in their daily lives. The results indicated that participants who used gesture-based passwords, on average, spent 22 percent less time logging in and 42 percent less time creating passwords.

The research also delved into what gestures participants used for passwords. Accordingly, 49.28 percent preferred using shapes, 24.07 percent preferred using letters, and 15.76 percent used lines. Single-finger gestures were also vastly preferred over multi-finger gestures, with 93.62 percent of participants using the former.

 “You don’t have to be exact, in fact, it is unlikely that any human could be exact even most of the time,” Lindqvist said of gesture accuracy. “So it needs to be ‘roughly the same,’ which is based on a computational threshold that maximizes both security and usability.”

Some smartphone producers have integrated fingerprint recognition technology into their mobiles for increased security, such as the iPhone’s Touch ID. However, Lindqvist believes gesture-based passwords present advantages over the fingerprint scanning technique.

“When iPhone first introduced their fingerprint scanning, it took only something like two days from a German based group (members of the Chaos Communications Club) to show how a well-known attack of lifting a fingerprint from the phone and recreating it was able to give access to the phone,” Lindqvist said.

“Fingerprints are also potentially not privacy-preserving,” he added, noting that they’re stored in all sort of government databases. “Even some daycares use that method to give access to parents. It is just a matter of time when a huge fingerprint database will be leaked.” 

Additionally, Lindqvist said manufacturers usually have a fallback authentication method that utilizes a PIN code.

“Smartphones present a fascinating problem due to their form factor, and you really cannot make progress in smartphone security and privacy without putting your investigations out there for people to use, like we did in this field study,” he said.

The gesture-based authentication method was tested on the Android platform, but Lindqvist concluded that the method could be implemented on any device with a touchscreen.   

R&D 100 AWARD ENTRIES NOW OPEN:

Establish your company as a technology leader! For more than 50 years, the R&D 100 Awards have showcased new products of technological significance. You can join this exclusive community! Learn more.