How secure is Windows 8 photo gesture login?

happygeek

How will Microsoft differentiate Windows 8 in an already crowded Windows OS user space? How about, for one, with the use of a photographic gesture security system for logging in? The idea of using a photo to identify and authenticate the user is not without some pretty obvious problems (ambient lighting, bad hair day, forgetting to shave could all screw up your chances of using the computer that day) which is why Microsoft developers have thought outside of the box on this one.

The important part of the 'photographic gesture security system' can be found in the gesture bit. Instead of using a photo of the user, the user instead chooses any photo they like and then selects parts of the image itself to use instead of a password. So, for example, you could tap on your face in a group photo, or draw a circle around the monkey in the top left corner of a wildlife image, or drag a line to connect two people in a photo. The gestures themselves act as your password, whether created using a touchscreen and your finger or a mouse it makes no difference: it is the act of tapping, drawing or dragging within a specific location of the screen that allows you access to the computer.

Now you may think that this is inherently insecure, after all the chances are that the bit of a group photo chosen to be the picture password will be the user him or herself. However, it's not that simple. Someone trying to bypass the security measures would need to know more than just what bit of the picture is being used but also where the start and endpoints of the drawing/dragging process are.

I'm actually all for any kind of login innovation which makes basic computing more secure for the masses, and welcome these early moves by Microsoft to bring something new to the Windows OS from the ITSec perspective. However, some security vendors are already warning that higher levels of authentication may be needed for some users. Steve Watts, co-founder of tokenless two-factor authentication specialists SecurEnvoy, says that the Windows 8 pictorial authentication will rely on the accuracy of the touch screen device, as well as the accuracy of the user's gestures when logging in.

"Some users may also find that the system is far from secure when using their laptop in public places" Watts warns "pictorial login systems can easily be seen in a busy railway or airport café by someone visually eavesdropping your laptop from the next table. Using a mobile phone to authenticate yourself, on the other hand, is a far more secure process, as it uses something you have and something you know, to verify you are who you claim to be. Put simply, if someone shoulder surfs your login using the new Windows 8 security system, then they effectively have access to your computer. So whilst we welcome this alternative to the tired old PIN and password system that has been proven to be less than secure as means of logging in, we feel that the message about tokenless two-factor authentication also needs to be made."

657 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Fireprufe15 0 Light Poster

That's actually a bright idea there. If laptops and PC's could get NFC chips, you could use your NFC enabled phone to login to Windows.

Fbody 682 Posting Maven Featured Poster

That's actually a bright idea there. If laptops and PC's could get NFC chips, you could use your NFC enabled phone to login to Windows.

I don't trust RFID-based technologies. Don't get me wrong, they have a place, such as inventory tracking; but I don't think they should be used in sensitive applications, like financial transactions. I wouldn't want something like this. In my opinion, RFID is too insecure.

Anyone with the right app on their phone and the proper reader can steal the information in the "tag". If you have a wallet full of PayPass, FastTap, etc. credit cards, someone can steal your entire wallet without even sticking their hand in your pocket, and you would never know. This is why I refuse to use these types of cards.

Fortinbra 37 Posting Whiz in Training

My uncle uses the RFID cards and things because he has to, but he claims that the piece of aluminum foil he uses to line the outer portions of his tri-fold wallet block the RFID's from being detected unless his wallet is open.

Fireprufe15 0 Light Poster

Not for payments, but it could seriously work for something like logging in to Windows.

mikulucky 25 Junior Poster in Training

I believe that using a mobile phone would be the best option, however it could be even more secure than just having the phone on your person. How about the phone has to be known to the machine, allowing the phone to connect to the machine via a wireless technology. Then the user is then required to enter a pin on the phone. Similar to the iPhone with WIFI sync.

Fireprufe15 0 Light Poster

That could also work. Another thing that can be done is if the phone and PC are connected, the PC could send a code to the phone, which is then used to unlock the PC. Kind off like the Blizzard Battle.net authenticator.

mikulucky 25 Junior Poster in Training

But if the phone is connected physically. Could not just use card readers of USB dongles, systems that all ready in place on a lot of machines. However of you mean connected wirelessly it could be similar to bluetooth pass code for pairing. However the phone all ready being known to the machine.

jaspal.indivar 0 Newbie Poster

How will Microsoft differentiate Windows 8 in an already crowded Windows OS user space? How about, for one, with the use of a photographic gesture security system for logging in? The idea of using a photo to identify and authenticate the user is not without some pretty obvious problems (ambient lighting, bad hair day, forgetting to shave could all screw up your chances of using the computer that day) which is why Microsoft developers have thought outside of the box on this one.

The important part of the 'photographic gesture security system' can be found in the gesture bit. Instead of using a photo of the user, the user instead chooses any photo they like and then selects parts of the image itself to use instead of a password. So, for example, you could tap on your face in a group photo, or draw a circle around the monkey in the top left corner of a wildlife image, or drag a line to connect two people in a photo. The gestures themselves act as your password, whether created using a touchscreen and your finger or a mouse it makes no difference: it is the act of tapping, drawing or dragging within a specific location of the screen that allows you access to the computer.

Now you may think that this is inherently insecure, after all the chances are that the bit of a group photo chosen to be the picture password will be the user him or herself. However, it's not that simple. Someone trying to bypass the security measures would need to know more than just what bit of the picture is being used but also where the start and endpoints of the drawing/dragging process are.

I'm actually all for any kind of login innovation which makes basic computing more secure for the masses, and welcome these early moves by Microsoft to bring something new to the Windows OS from the ITSec perspective. However, some security vendors are already warning that higher levels of authentication may be needed for some users. Steve Watts, co-founder of tokenless two-factor authentication specialists SecurEnvoy, says that the Windows 8 pictorial authentication will rely on the accuracy of the touch screen device, as well as the accuracy of the user's gestures when logging in.

"Some users may also find that the system is far from secure when using their laptop in public places" Watts warns "pictorial login systems can easily be seen in a busy railway or airport café by someone visually eavesdropping your laptop from the next table. Using a mobile phone to authenticate yourself, on the other hand, is a far more secure process, as it uses something you have and something you know, to verify you are who you claim to be. Put simply, if someone shoulder surfs your login using the new Windows 8 security system, then they effectively have access to your computer. So whilst we welcome this alternative to the tired old PIN and password system that has been proven to be less than secure as means of logging in, we feel that the message about tokenless two-factor authentication also needs to be made."


I want to know is this window will be secure from .exe virus or spyware attacks.

– der große Test!

jwenting 1,649 duckman Team Colleague

I want to know is this window will be secure from .exe virus or spyware attacks.

it's the user who's vulnerable to those, not the operating system. That's been the case for at least a decade now.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.21 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.