How will Microsoft differentiate Windows 8 in an already crowded Windows OS user space? How about, for one, with the use of a photographic gesture security system for logging in? The idea of using a photo to identify and authenticate the user is not without some pretty obvious problems (ambient lighting, bad hair day, forgetting to shave could all screw up your chances of using the computer that day) which is why Microsoft developers have thought outside of the box on this one.
The important part of the 'photographic gesture security system' can be found in the gesture bit. Instead of using a photo of the user, the user instead chooses any photo they like and then selects parts of the image itself to use instead of a password. So, for example, you could tap on your face in a group photo, or draw a circle around the monkey in the top left corner of a wildlife image, or drag a line to connect two people in a photo. The gestures themselves act as your password, whether created using a touchscreen and your finger or a mouse it makes no difference: it is the act of tapping, drawing or dragging within a specific location of the screen that allows you access to the computer.
Now you may think that this is inherently insecure, after all the chances are that the bit of a group photo chosen to be the picture password will be the user him or herself. However, it's not that simple. Someone trying to bypass the security measures would need to know more than just what bit of the picture is being used but also where the start and endpoints of the drawing/dragging process are.
I'm actually all for any kind of login innovation which makes basic computing more secure for the masses, and welcome these early moves by Microsoft to bring something new to the Windows OS from the ITSec perspective. However, some security vendors are already warning that higher levels of authentication may be needed for some users. Steve Watts, co-founder of tokenless two-factor authentication specialists SecurEnvoy, says that the Windows 8 pictorial authentication will rely on the accuracy of the touch screen device, as well as the accuracy of the user's gestures when logging in.
"Some users may also find that the system is far from secure when using their laptop in public places" Watts warns "pictorial login systems can easily be seen in a busy railway or airport café by someone visually eavesdropping your laptop from the next table. Using a mobile phone to authenticate yourself, on the other hand, is a far more secure process, as it uses something you have and something you know, to verify you are who you claim to be. Put simply, if someone shoulder surfs your login using the new Windows 8 security system, then they effectively have access to your computer. So whilst we welcome this alternative to the tired old PIN and password system that has been proven to be less than secure as means of logging in, we feel that the message about tokenless two-factor authentication also needs to be made."