Microsoft supports photo-touch gestures for secure login to Windows 8 tablets or smartphones. Is it worth looking into the Windows 8 photo gesture credential?
Ask a question
Davey Winder, one of SearchSecurity.co.UK's resident security experts, is standing by to answer your questions. Send in your questions via email today. (All questions are treated as anonymous.)
To answer this, you first need to understand what Windows 8 photo-gesture authentication is not, which is some kind of biometric photo ID system that scans the user’s face in order to recognise key features. Photo ID authentication throws far too many variables into the mix, such as ambient lighting changing the way the user looks. Imagine not being able to log in to your computer because you’re having a bad hair day!
So what is a photo touch-gesture recognition system? The key word to focus on is ‘gesture’ rather than ‘photo’. The photo simply serves as a visual map, making it easier for the user to remember the login process. The Windows 8 system allows any photograph to be used. The system records an initial set of gestures used by the user to connect parts of the photo.
For example, you could have a photo of your family and then use a touch screen or mouse to draw a circle around the face of your mother and then a line to your face and finally a square around the face of your father. The Windows 8 authentication system will actually register the position of the starting circle as mapped to that photo and then the route taken to connect it to another position and ultimately the end position.
The photo gesture authentication system provides better security than you might think. A malicious attacker trying to log in to a device or account would need to guess what parts of the photo were used for the registration reference (which is difficult but not impossible using social profiling techniques), as well as the exact start and finish points and the route between them.
There are some potential pitfalls of the photo-gesture authentication system, however, including the obvious problem of granularity in terms of accuracy. Just how much leeway can be given for the circumference of the circle, for example, or how far can the line wander without triggering a false positive and preventing access? With a touch screen device, there are calibration issues to take into account as well; a device that has lost calibration could prevent access through no fault of the user.
Related Q&A from Davey Winder
Expert Davey Winder suggests some good security training courses for the IT administrator who must manage their organisation’s mobile devices. Continue Reading
Organisations should guard against Facebook hacking and Twitter hijacking. Expert Davey Winder discusses Twitter and Facebook security tools that can... Continue Reading