Haptic code-entry makes PINs a touch harder to steal

 

 SHOULDER surfers could be thwarted and ATMs made more secure byallowing customers to enter a tactile PIN via their smartphone instead of using the normal keypad.

The basic problem with traditional PINs and passwords is that when used in a public space they can easily be observed, says Andrea Bianchi at the Korea Advanced Institute of Science and Technology in Daejeon.

So he and his colleagues have developed a range of touch-based code-entry systems which aim to prevent prying eyes from getting a look in. They hinge on allowing phones to communicate securely with ATMs, such as by using near-field communication readers, so smartphones could be used instead of the highly visible keypads.

The team has explored two main approaches, says Bianchi's colleague Ian Oakley at the Madeira Interactive Technologies Institute at the University of Madeira in Funchal, Portugal. "In one approach you try to recognise what you feel and with the other you count what you feel." In a system called PhoneLock, for example, alphanumeric icons on a smartphone touchscreen are replaced with a set of up to 10 different tactile cues known as tactons. "They're the touch equivalent of icons," Oakley explains.

The tactons, which are easy to distinguish from each other, are placed in a circular grid that is divided into several radial segments so that when the user moves their finger over a segment the vibrate motor in the device will vibrate in a specific pattern depending on which tacton is there. All the user has to do is feel the different segments until they find the right one in a sequence they have remembered and then press an icon at the centre of the circle to enter it.

In another approach, called SpinLock, the user is presented with a circular wheel, much like the click-wheel on old iPods. This works like the dial of a old-fashioned combination safe, but with the user running their finger around it in one direction until they have felt the appropriate number of clicks in a sequence, before running it in the other direction.

Although it takes longer to enter a PIN like this, any observer would be unable to reproduce it because the tacton positions are randomised, says Oakley. This could make it more secure to make online purchases on mobile devices or punch in an access code to gain entry to a secure area.

"It's a very novel approach," says Paul Dunphy, a researcher at Newcastle University, UK, who has looked at ways of making PINs more secure. One potential weak spot is the possibility that a would-be hacker could use microphones to pick up the faint buzzing sounds produced when a tacton is activated, he said. The team's alternative approach - using audio feedback through headphones instead of tactile cues - could avoid such attacks. The work was presented last week at the OzCHI conference in Canberra, Australia.