How many times a day do you type in a smart phone password to unlock the device or an app? Surely whenever you do this, you are not always in a private setting. The sad reality is that we started exposing our computing devices to the outside world, which is not always friendly. That being said, let's review the existing methods and approaches of how mobile and wearable devices are protected against people around you.
The most common approach used for unlocking mobile and wearable devices is a numeric PIN. For a malicious observer, this method is a dream come true. Apple recognizes this weakness, so the standard four-digit PIN will be six digits long in the upcoming iOS 9. The lengthening of the PIN, however, will unlikely present a bigger hurdle for the bad guys around us.
Another approach that is commonly used is the standard alphanumeric password, which uses a virtual keyboard. When a user enters in a character the letter, number, or symbol that is pressed on the keyboard clearly distinguishes itself on the screen. This makes it very feasible for a malicious observer to decode the password regardless of the complexity of the password.
Of course there exist other methods like the picture unlock feature for the Microsoft Surface tablet. Users select a picture and add different gestures on the picture. The gestures can be lines, circles, or just taps on the screen. The picture does not change with each unlock unless the user does so in settings, so the user performs the same gestures in the same places on the screen, so the wrongdoers can feasibly identify the gestures on the screen.
Moving on, another lock screen option is the pattern lock that is used to unlock Android devices and some applications. For this password there are 9 circles on the screen and the user draws a pattern from one circle to and through the other circles. This approach provides no better protection than the previous one. The pattern lock along with the picture unlock feature for the Microsoft Surface tablet have another drawback. When repeated multiple times, the user's fingers leave visible traces on the touch screen, so a malicious observe can figure out the gesture sequence just by looking at the greasy traces on the screen.
Crafty apps have started appearing that use a fake calculator to unlock information. At first glance it appears that a user is just trying to calculate some amount, but once you enter the correct combination of symbols involving numbers and numeric operators you unlock your private information. While this application may stump a malicious observer at first, if an observer records you entering your password in this application they have the key to your private information. I would say that this application is even less secure since the calculator works like an actual calculator and displays a number at the top of the screen.
Another similar application that tries to disguise the fact that the application is used to unlock secure information is Tic Tac Lock. A user appears to be playing tic tac toe but in reality they are entering a four digit PIN by pressing faded numbers ranging form 1-9 in boxes. First off, the numbers on the screen are not that hard to distinguish, even though they are faded. Secondly, the formation of the numbers does not change, so the user enters the same pattern every time to unlock this application, which is easily readable by a malicious observer.
Some people acknowledge all of these security vulnerabilities with the login methods I have mentioned, but then they say that the vulnerabilities are easily taken care of with a sticky security screen. While this physical barrier, hides your screen from people looking at sharp angles at the screen, it does not stop people from recognizing the password entered. Since all of the currently discussed methods do not change placement and orientation of the screen content, a malicious observer can still decode your password from your hand movements on the device. This is especially feasible on the iPad and other large tablets. Most importantly, any malicious observer looking at the screen at your angle can still see your password. While the sticky screen provides some added security, it is not even close to being foolproof against a malicious observers.
An application that is worth mentioning is Mnemonizer. The purpose of the app is not to provide another way to enter a password, but to help you store your passwords in a form that a malicious observer cannot steal. To do this, the application uses a mnemonic card to hide a PIN or password. You can use different shapes and colors to place your data on the card and recognize it later. While this application does not provide a different way of entering your password, it gives you some sort of protection against malicious observers.
Unfortunately, all the described above approaches to securing a device are screen-position based, so anyone with a video camera can record a person entering their credentials and easily decode that information.
The listed above password-related issues are part of nasty HITBAD problem, which stands for Here Is The Body And Device. This is a relatively new security challenge that is generally overlooked or ignored.
Currently there are three ways to protect your device (or a sensitive app): either with a password, biometrics or token-based authentication (a chip under your skin, a smart watch on your wrist, etc). Will these approaches help you to protect your sensitive data from the bad guys around you? Definitely "no" in case of biometrics and tokens. As demonstrated here, the biometrics approach has several unsurpassable conceptual flaws that will not allow to consider it as a standalone solution to fight the HITBAD challenge. Passwords? As shown above, none of the existing passwords-based solutions provide viable protection against the malicious observers.
What can help to fight HITBAD problem? The answer is going to surprise you -- a game. A very short game that you play in order to log in to your device or to a sensitive app. Not only the purpose of such a game would be a secret, but the game's rules themselves would be also a secret! Both "the purpose" and "the rules" of the game are configurable and they can be set up by the user. This game-based approach would make extremely difficult for a malicious observer to figure out your login credentials just by looking at your screen during the authentication steps.
To see that this game-based authentication approach works perfectly well (some of our users prefer a stronger "amazing" word), you can download our free iOS app that uses a few configurable games (each with several variations) as a way to log in to the app. The app demonstrates a unique technology in action, which per se is the first ever and only working solution to fight the nasty HITBAD problem.
Is the game set used in the app (based on the notions of Magic Point and Magic Grid) the only way to address the HITBAD problem? Of corse, no. If you think about it, you will see a lot of incredible possibilities that will not even require alphanumeric form of input. Just stay tuned...