A password or a personal identification number (PIN) are the most widely used methods for gaining access to personal computers, mobile computing devices, and online accounts. Because of the widespread usage, they are well understood by users. However, knowledge-based systems have disadvantages. For example, some systems require a user to learn complex passwords in order to provide adequate security. In addition, as the number of password-protected devices or accounts grows, a user needs to remember multiple passwords or password variants, which increases the mental burden of the logon process. In some instances, users write down all of their passwords, negating the security.
Traditional password entry is also prone to attack by “shoulder surfing.” This problem is exacerbated by the increasing use of mobile devices and public surveillance systems. Furthermore, traditional touch-based PIN entry schemes are prone to “smudge attacks,” where attackers can guess a PIN or other access code by smudges on a touch screen (if the attacker gains access to another person's mobile device).
Some biometric authentication systems do not work at short range, and thus do not work well on mobile devices or while a person is seated. In addition, biometric authentication that uses a single point of reference cannot provide sufficient uniqueness to be secure. Some biometric authentication systems use touch-screen gestures. Such systems are limited to gestures in 2 dimensions, and limited to movement within the screen. This is particularly limiting on a small mobile device. In addition, such systems are susceptible to smudge attacks.