My Uncle Leo had a distinctive facial tic that I always thought would be a pretty foolproof identifier for ATM and credit card transactions. Problem is, you’d need a point-of-sale terminal with facial recognition and, in Uncle Leo’s case, a free half-hour to hear his stories about the war.
As unique as Uncle Leo’s tic was, it pulled no weight when it came time to pay with plastic or do his banking online. For that, you need to concoct a password — a personal alphanumeric tic, if you will — that these days does less to verify your identity than to simply beat down that inner voice that insists on screaming, “Danger! Danger! Danger!”
For all their good intentions, passwords have always been a lousy substitute for Uncle Leo’s tic. Just ask Wired senior writer Mat Honan, a pretty ‘net-savvy guy who watched his digital life burn down in about an hour after his robust passwords were deciphered. In his insightful account, “Kill the Password: Why a String of Characters Can’t Protect Us Anymore,” Honan has this to say about our made-up tics:
“It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.”
Or have we?
This month, Capital One introduced its SureSwipe mobile phone app that veers from the alphanumeric mainstream to enable users to log in based on pattern recognition. Instead of setting up a boring old password, SureSwipe users trace a pattern on a square, nine-point touch screen grid that becomes their pattern sign-in. You have to hit at least four of the nine points in sequence, and lame figures aren’t allowed, for you Zorros out there.
The app, currently available in iPhone with Android to follow next year, allows you to reset your doodle or turn the SureSwipe feature off entirely and go old-school with an alphanumeric identifier.
Several things occurred to me while exploring the SureSwipe landing page. One, the headline: “No More Password Typos.” Really? Is that what this is the solution for? Fumble thumbs? What about, oh, identity theft? Alas, there was no link to security FAQs or reassuring anti-fraud verbiage.
You don’t need a math degree to figure out that there are far fewer possible combinations using nine digits than with 26 letters, nine numbers and assorted symbols in the alphanumeric world.
Capital One’s pattern recognition breakthrough may well save time for mobile users, if that’s its sole goal. And I’m excited by any move away from those vulnerable letters and numbers to something more personal and harder to machine generate or guess.
But until we come up with something a little closer to Uncle Leo’s tic, I fear that hackers are likely to view SureSwipe as just that: a sure swipe.