Some local and remote computing resources are protected with passwords and/or personal identification numbers (PINs), such as operating systems, online accounts, files, and password lockers. To be effective, passwords typically need to be complex. However, typing a complex password on many popular devices, such as touch devices, is cumbersome and often results in errors. Out of frustration, users may resort to using short, simple passwords that don't provide adequate security. PIN values tend to be short, and users often reuse the same PIN in multiple settings, making them vulnerable to brute force attacks or guessing. Both PINs and passwords are vulnerable to “shoulder surfing” attacks, where someone watches the user enter the PIN or password. The availability of smart phones with video recording capabilities has made this kind of attack even easier.
On some computing devices, the host operating system allows users to save passwords on the device itself, so that the passwords do not have to be manually reentered for subsequent authorization events. While this may make it more likely that a user will choose a strong password, it can lead to problems if the host operating system releases the password without any additional prompting. For example, if the user shares the computing device with family members or a visiting friend, those people might be able to access otherwise secure resources without the user's consent.
There are a number of situations where multiple people might have access to a single computing device. For example, devices may be casually shared among family members and/or friends. For example, a parent may let a child use the computing device to play a game. Devices may be lost or stolen and used by an unauthorized person. If the device is unlocked at the time it's shared, lost, or stolen, the person possessing the device may have unrestricted access to resources that the device owner may want to keep private. For example, application programs that manage sensitive data, such as banking or brokerage records and/or stored passwords for corporate email accounts, websites, or other online services may be available for use by unauthorized users.