Wednesday, September 29, 2010

Map locations as passwords

Word is out on Bill Cheswick's idea for online authentication that is based on using a highly specific location on a map as one's "password." It's a neat idea, and something better than remembering passwords would be fantastic. I don't think this is the breakthrough we need, though. To abuse a Churchill quote, passwords are the worst authentication method -- except for all the others we have tried.

The idea is interesting -- use a a pair of 10-digit latitude and longitude coordinates to comprise a 20 digit password. Instead of a user remembering 20 digits, he remembers "that blue house outside of town." When prompted for authentication, he moves the mouse to that location and clicks it. This will obviously defeat keyloggers, and mouse monitors can be fooled by initializing the map in a new place each time.

Others in the online discussion have pointed out flaws. One of these is that shoulder surfing is once again a threat to password security. Another is that users will tend to choose familiar locations like their homes or prominent landmarks. Yet another is the possibility of analyzing cached map images to determine the sensitive location.

Another problem is that I believe it easier to remember several phrases than several places. This will make it more tempting to use one or two locations as the shared secret, and a compromise of one account will compromise another.

They haven't done any usability studies on this yet, but I think a problem that will emerge is that the precision necessary for clicking the correct location will be a big issue -- especially with older or highly-caffeinated users. One obvious fix is to allow a range of error from the actual spot; however, this will complicate secure password storage. The standard method of storing only a hashed password (with or without salt) is not an option if a range of passwords must be accepted.

This idea was presented at NYIT's Cyber Security Conference earlier this month. In the speaker's bio, he says that in the talk he'd present several half-baked ideas. I think this work isn't the solution, but we need more half-baked ideas for the problem.

Slashdot picked up on this, as did Discovery and Tech News Daily.

No comments:

Post a Comment