Microsoft Details Windows 8 Picture Password FeatureBy Channel Insider Staff | Posted 2011-12-20 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Microsoft has detailed its Windows 8 Picture Password protection, insisting that it's as secure as traditional numbers-and-letters input.
At September's BUILD conference, Microsoft took an auditorium of developers on a deep dive into the upcoming Windows 8. Among the features revealed in passing was a rather unique way of safeguarding the operating system from unauthorized users: a Picture Password that required touching parts of an image in order to move past the initial lock screen.
Now Microsoft is revealing more details about the Picture Password sign-in. First, users will choose a personal image; then, a series of gestures (tap, lines, and circles) to unlock the Windows 8 interface. That relatively simple process required a good deal of thought on the part of Microsoft's engineers, who needed to solve problems such as how much margin of error they'd allow users gestures.
"We take a look at the difference between each gesture and decide whether to authenticate you based on the amount of error in a set," Zach Pace, a program manager for Microsoft's You Centered Experience team, wrote in a Dec. 16 posting on the Building Windows 8 blog. "When the types, ordering, and directionality are all correct, we take a look at how far off each gesture was from the ones we've seen before, and decide if it s close enough to authenticate you."
He also argued that drawing on an image offers security on par with entering numbers and letters into a keypad. Taps, lines and circles on a set grid can translate into billions of possible gesture sets. Moreover, Microsoft is baking additional security measures into Picture Password.
"When you enter your picture password incorrectly 5 times, you are prevented from using the feature again until you sign in with your plain text password," he wrote. "Also, picture password is disabled in remote and network scenarios, preventing network attacks against the feature."
In theory, potential thieves would have trouble guessing your Picture Password based on telltale smudges on a screen. Because the order of gestures, their direction and location all matter, he added, it makes the prospect of guessing the correct gesture set based on smudging very difficult even in the completely clean screen case, let alone on a screen that sees regular touch use.
Microsoft has revealed several aspects of Windows 8 of late. Earlier in December, it unveiled Windows Store, its long-anticipated applications storefront for the operating system.
To read the original eWeek article, click here: Microsoft's Windows 8 Picture Password Detailed