Windows 8 picture password is 'Fisher-Price toy' says father of 2-factor authentication

[InfoSec News <alerts () infosecnews org>]

http://www.networkworld.com/news/2011/122211-windows8-authentication-254372.html

By Tim Greene
Network World
December 22, 2011

The Windows 8 feature that logs users in if they touch certain points in a 
photo in the right order might be fun, but it's not very good security, 
according to the inventor of RSA's SecurID token.

"I think it's cute," says Kenneth Weiss, who now runs a three-factor 
authentication business called Universal Secure Registry. "I don't think it's 
serious security."

The major downside of the picture password is that drawing a finger across a 
photo on a touch screen is easy to video record from a distance - making it 
relatively easy to compromise, he says. Designers of alpha-numeric passwords 
recognize this danger and have responded to it by having password characters 
appear as dots on the screen so the password can't be copied down.

Designers of Windows 8's picture login have made a traditional password an 
alternative, perhaps in acknowledgement of this shortcoming, he says.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn