Skip to main content

Pattern-based authentication: Solving the password problem

password
(Image credit: Image source: Shutterstock/Ai825)

Passwords and PINs have become a ubiquitous part of our daily lives; we use them at ATMs, to unlock our phones and to access various online accounts. This solution has, however, given rise to its own set of password-associated problems. How do we manage to remember all the different combinations that give us access to our vital information or services? To add to this, when thinking of a PIN code, do you typically remember the specific numbers, or do your fingers automatically follow a pattern? With the associated complexity expectations for passwords constantly developing, users are finding it increasingly difficult to manage their various accounts while remaining secure. 

Unfortunately, passwords are and will continue to be an unavoidable part of our lives, but as they are becoming less and less effective for authentication, we are struggling to properly secure vital accounts and information. Password security as a knowledge factor needs to evolve, and this is where pattern-based authentication comes in. Using psychology, and our natural ability to remember patterns and shapes over specific numbers, we can use pattern-based authentication to improve security over passwords along all while improving the user experience. 

The password problem  

Passwords have been in existence for centuries, with the purpose of keeping systems and their users safe. Until recently, they have remained almost completely unchanged, but in a digitally-developing world, they are failing to adequately protect us and our information. For example, throughout 2020 alone, over 36 billion records were exposed and compromised. Email addresses and passwords prevail in being the most exposed data types of the year, with 29.4 percent passwords being revealed as a result of data breaches. 

The standard practice is for companies to advise their employees to regularly change their passwords, although this has proven to be ineffective. With almost every application or system we log onto these days requiring a password, it has become virtually impossible for users to follow specific guidelines, while also remembering every password they have ever come up with. Covid-19 has particularly contributed to a surge in account creation, meaning users have more accounts than ever to keep up with. Consequently, with the rise in breaches, it is becoming increasingly clear that current solutions are no longer working. Rather, they are complicating matters as passwords become simpler for machines to crack. It’s time to admit it: Passwords must go. But what is effective enough to replace them?  

Some passwordless logon systems do exist however they often replace the password with a totally different factor, e.g. biometrics, instead of offering an alternative knowledge factor. This makes switching away from passwords in existing systems very difficult. 

How pattern-based authentication will change the future of passwords: 

The Paivio dual coding theory has demonstrated on several occasions that humans struggle less remembering graphical objects, such as pictures, images or shapes. This can be attributed to the fact that, as opposed to numbers, these stimulate the brain, which can help with short and long-term memory. Generally, many people struggle to recall their PIN codes unless they are physically looking at their phone screen. In an experiment to prevent “shoulder-surfing” banks introduced a safety measure in which the numbers on the regular keypad would switch positions, making it harder to guess someone’s PIN. This nevertheless still caused an issue, as many people ending up entering their PINs incorrectly, and the experiment was abandoned. Overall, countless studies show that humans think and read in shapes as opposed to letters or words and as such, patterns are consequentially a better option for a knowledge factor of authentication.  

Pattern-based authentication allows users to derive a unique one-time code, which removes the necessity for a traditional password or static PIN code. With this method, users will be able to come up with a memorable pattern to create a sequence of numbers that will serve as the security barrier to their accounts. The numbers would change place each time, and as a result, the sequence of numbers will be different for each logon. The pattern, however, never changes. Taking the real-world scenario of an ATM machine: a square pattern would typically create the sequence 1793. With pattern-based authentication, these numbers would be arranged randomly, while the square pattern would remain constant. To further improve security, the secret pattern is never be transmitted between the user and the server, making it nearly impossible for a cyber-criminal or a fraudster to gain access.

What are the advantages?  

The overall security of accounts and vital information is significantly improved by using a pattern as opposed to a fixed sequence of numbers or letters. Standard passwords and passphrases are divulged to the system during every logon, leaving a footprint and creating a security gap that can be breached by hackers. The pattern, on the other hand, is not shared with the system, meaning any hacker attempting to get into an account is left without an exploitable entry point. As previously mentioned, with the numbers constantly switching positions, the risk of shoulder-surfing is reduced and a user’s knowledge factor is a lot harder to deduce.  

More importantly, the requirement for multi-factor authentication (MFA) is also minimized. A user still has the option of employing MFA to add an additional layer of physical security to the pattern. However, this may not necessary as MFA is commonly used to simply bolster a weak password. Pattern based-authentication with MFA would not change the overall logon user experience; the grid of numbers is simply displayed on a separate physical device such as a phone and the user simply needs to know their pattern.

Steven Hope, CEO, Authlogics

Steven Hope is CEO at Authlogics.