Researchers studied the practicality of using free-form gestures for access authentication on smart phones and tablets. Image courtesy of Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos; Rutgers University, Max-Planck Institute for Informatics and University of Helsinki.

To protect your financial and personal data, most mobiles come with PIN-based security, biometrics or number grids that require you to retrace a particular pattern to access your device. But is that good enough in crowded places full of spying eyes?

Not necessarily, according to a team of researchers from Rutgers University in New Jersey, Max Planck Institute for Informatics and Saarland University in Germany, and the University of Helsinki in Finland. Thieves snagged about 3.1 million smartphones in the U.S. alone last year, according to a Consumer Reports study released in May. Most of those phones are not likely to be protected by screen locksonly about one third of mobile phone users surveyed use a four-digit PIN. And even passcode-protected phones are vulnerable to shoulder surfing thieves who can glean PINs by observing their victims using their devices in a crowded location before striking, according to the researchers.

As an alternative to PINs and passcodes, the researchers are studying the feasibility of touchscreen drawings, which they call gestures. In such a scenario, users would set their password by using one or more fingers to draw a line, curve or some other pattern on their touchscreens. The device would assign a value to the gesture. Users would have to replicate that same gesture on the screencoming reasonably close to the assigned valueto later unlock the device.

Once the user has come up with a repeatable gesture, it is really hard for others to do [the gesture] accurately because of your unique characteristics of your hand, muscles and joints, says Janne Lindqvist, one of the projects leaders and an assistant professor in Rutgers' School of Engineering's Department of Electrical and Computer Engineering. A recognizer program then identifies such a gesture as unique to that user.

In a study, the researchers asked participants to draw a pattern, replicate the pattern and then reproduce it again during a second session at least 10 days later. Because reproducing patterns and designs with total accuracy isnt likely, the software accepts motions that deviate from the original to a certain degree. Likely, that degree would be adjustable depending on the level of security desired.

A secure gesture should have both inherent complexity and easiness to perform, the researchers concluded in a study they will present June 18 at the MobiSys 2014 conference in New Hampshire. Signatures fit both categories well because, though complex for a thief to reproduce, they are easy for a device owner to remember and replicate.

This novel idea is still in the lab and may not necessarily make its way to future generations of iPhones. Still, the researchers look into free-form gesture recognition as a security mechanism turned up some interesting results.

  • Unlike an alphanumeric password, longer or more complicated gestures were not necessarily more secure than shorter, simpler patterns.
  • The most secure gestures featured many sharp turns, not coincidentally, of the kind used to draw letters in a signature.
  • Less secure gestures had fewer turns. In addition, those turns were gentle and tended to curve in the same directiona circle, for example.
  • In general, participants had little difficulty reproducing the shape of the gesture they had chosen. Most of their errors came when they tried to create and then replicate a gesture that required multiple fingers.