RSA research scientist Kevin Bowers and his team were inspired to explore ways of improving the decades-old PIN system of user authentication. Photograph by Asia Kepka

A new authentication technology based on color could help stop "shoulder surfing" at the ATM.

New technologies seem to appear faster than users can keep up, but our most common activitiesautomated banking, point-of-sale credit card purchases, entering the office via a badging systemrely on technology developed more than 40 years ago. The automatic teller machine (ATM) appeared in 1967 along with the personal identification number (PIN) to authenticate its users, but their underlying framework hasn't changed significantly since then.

That situation intrigued RSA research scientist Kevin Bowers and his team, who are examining ways to improve the decades-old PIN system. "We began to wonder if technology hadn't advanced so that we could develop a better authentication mechanism with more security and a better user experience," he explains.

And then came PIP

"There are concerns about how much security you're actually getting from a PIN," Bowers continues. "Four digits really aren't enough to provide secure authentication, but matching two pairs of colors on a touchscreen could provide five to six times the security of a four-digit PIN." With that idea in mind, Bowers and his team created a system prototype they've dubbed Personal Identification Pairs, or PIP.

Where the PIN entry system requires the user to type digits on a keypad, PIP presents a grid of 16 tiles, each a different color. The user must connect tiles representing his two secret color pairs by sliding his finger across a touchscreen similar to that on a mobile phone. "In two swipes, you connect the colors that make your pairs," explains Bowers. "If one of your pairs is maize and blue, for example, you touch the maize tile and don't let go until your finger is over the blue one. You're actually entering more information in fewer gestures than when you enter a PIN."

Full-spectrum security and usability

PIP is particularly effective in thwarting "shoulder surfing" attacks by the shady character next in line at the ATM. "Shoulder surfing is an easy attack because the person behind you can simply watch as you enter your PIN," says Bowers. "He immediately knows what buttons you've pressed."

PIP tiles, on the other hand, can be randomly mixed each time the user approaches an ATM. "You perform your two swipes and the person behind you has no idea what colors you just touched," says Bowers. "When he walks up to the screen, his 16 colors are in different places. Even if he can mimic where you put your fingers, he's not selecting the same colors."

Currently in the prototype phase, PIP is poised for usability testing. "The next step is determining how many colors a user can actually distinguish under various lighting scenarios," says Bowers. "We're also working to make sure PIP addresses the needs of all its users; we're looking at adding textures or patterns to the PIP touchscreen to assist color-blind or vision-impaired users."

Bowers envisions an incremental rollout of PIP, whereby color touchscreens and upgraded software would be integrated into existing devices during routine maintenance and repair. Users would also have the option to revert the devices to the familiar numeric touchpad until they're comfortable with the PIP process.

Memorizing one's PIP shouldn't be a worry, says Bowers. "Studies indicate that people remember colors much more easily than they do numbers." And recalling one's high school colors and the hues of their dream house just might make waiting in the ATM line a bit easier, too.