How many passwords do you have for different websites you have an account in? Be it social networking websites like Facebook, Twitter and Instagram or online banking services or email accounts? All these accounts require a password or some kind of prove to allow you use the account. Some people have a common password for all the online accounts they have while others have a different password for every account.
Password are the most commonly used form of authentication especially on the web. Another variant of a password is a PIN (Personal Identification Number) which basically is shorter numeric password! While passwords are very effective and a fundamental part of online security, they are complex and require secrecy to work. When signing up for an account, it’s common to see password policies like “Password should have at least 8 characters with a number and a special character”. While these policies make accounts more secure there is a fundamental flaw in such policies - as passwords become complex, the harder it becomes to remember them. Due to this complexity, some people end up committing the cardinal sin of writing the password down. While other authentication mechanisms like patterns, face scan and fingerprints have been exploited, there are lots of privacy and security concerns surrounding them. What if you could use your emotions as your password?
This article explores how one can implement a simple authentication mechanism using emojis. While there are many genres of emojis, facial expressions are the most commonly used ones. Emojis have become the most preferred way to express oneself - in fact in 2015, Oxford Dictionaries named ‘Face with Tears of Joy’ word of the year. What if we could use emojis for more than just expressing our emotions?
Technically, an emoji consists of two parts: the visual part (what we see) and a unicode (hidden alphanumeric characters). Every emoji has a distinct alphanumeric code that represents the emoji. In this proof of concept, a user is presented with a simple login interface, however, instead of the normal alphanumeric keyboard, an emoji keyboard pops up when you click the password field. One is required to enter a combination of four different emojis as their password. Let’s say for example a user enters ‘Face with Tears of Joy’, ‘Winking Face’, ‘Smirking Face’ and ‘Relieved Face’ as their password. While what a user sees are emojis, in the background we capture the hex codes representing the emojis as follows:
In step four, a combination of the four emoji hex codes make up the user password which is then hashed. For this demonstration, BCrypt with 10 rounds of hashing was used. One is at liberty to use hashing algorithm of their choice.
As we saw earlier, as passwords become more complex, the harder it is to remember. Emojis however, just like any other image, have a higher rate of visual recall making it easy to remember. It’s also more fun entering emojis as pass codes compared to passwords. Emojis have become a universal language understood world over regardless of one's level of literacy which means it’s easier for people with low literacy levels to adopt. Also if you take 4 non-repeating numbers (0-9), there are only 7.2K permutations compared to 3.5M permutations of 44 non-repeating emojis. This means it’s considerably harder to exploit all emojis.
One possible limitation with emojis is the possibility of a user entering the same emoji four times. This can however be solved by enforcing ‘emoji password policies’. Another limitation is physical keyboards don't have a provision for emojis making them only usable with virtual keyboards.
This was just a proof of concept which can be made more secure and production ready in the following ways:
This proof of concept was jointly developed by Benjamin Munyoki (Kenya), Daniel Omeiza (Nigeria) and David Chukwuma (Nigeria) during Facebook - Carnegie Mellon University Africa Cyber security hackathon.