The Windows 8 feature that logs users in if they touch certain points in a photo in the right order might be fun, but it’s not very good security, according to the inventor of RSA’s SecurID token.
“I think it’s cute,” says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. “I don’t think it’s serious security.”
The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance – making it relatively easy to compromise, he says. Designers of alpha-numeric passwords recognise this danger and have responded to it by having password characters appear as dots on the screen so the password can’t be copied down.
Designers of Windows 8′s picture login have made a traditional password an alternative, perhaps in acknowledgement of this shortcoming, he says.
Other problems include backing up the touch pattern that is the login. “To put down a description of the sequence is possible, but that’s a lot of writing,” he says.
All in all, “It’s more like a Fisher-Price toy than a serious choice for secure computer access,” he says.
Still, it’s better than nothing, he says, and it is raising awareness of login security.
Windows 8 is the next version of the Windows operating system, now due for beta release in February. It’s expected to be generally available later next year featuring touchscreen navigation and commands as well as support for tablets. Not all apps that run on Windows 7 will be compatible with the touchscreen capabilities, but mouse and keyboard devices will enable all apps that ran on Windows 7.
The new operating system shoots for power efficiency, better security and compatibility with ARM-based chips (read tablets and next-generation PCs), all of which could make Windows 8 attractive to businesses.