Most passwords rely too much on pet names, anniversary dates and other easily-guessed concepts. But replacing those words with pictures could provide a substantial improvement in security.
Pictures and faces are much easier for consumers to remember than complex passwords, but as a security method images have not attracted much support for protecting financial accounts. Companies like Passfaces Corp. launched a decade ago with the mission of replacing passwords with a Brady Bunch-like grid of faces, but the company no longer focuses on financial services.
A vendor called Intelligent Environments is trying again with a system that is more mobile-friendly. It allows users to choose a string of emoji, the diverse range of "smileys" that are popular in text messaging, as a passcode for logging into their mobile banking app.
"Humans are better at remembering pictures rather than words and numbers," said Simon Cadbury, head of strategy at U.K.-based Intelligent Environments.
Intelligent Environments worked with Tony Buzan, a mind memory expert and inventor of Mind Maps to develop the Emoji Passcode, which it unveiled this week.
Passfaces determined that its own product couldn't scale well enough to serve as security for online banking, and it now focuses on other markets, said Jon Shaw, its CEO. But Passfaces launched before the iPhone — and thus, long before the idea of using an app to manage bank accounts and payments.
But in 2015, most millennials can't live without a smartphone and emoji "are familiar and fun," Cadbury said. "We're not trying to limit this to millennials but this taps into something millennials associate with."
Venmo, the mobile person-to-person payments system owned by PayPal, has also tapped into the emoji craze, though not for security purposes. Venmo's app lets users send both text and emoji messages with transactions.
There's even a startup called Fooji that wants to accept food orders from people who tweet emoji depicting hamburgers and cookies.
Emoji are reportedly the fastest growing language in the U.K. And with the popularity of using "stickers" (an equivalent of emoji) in social media apps like Facebook and Line, many other countries are likely seeing the same phenomenon.
But security is the kicker. The emoji-only passcode that Intelligent Environments launched this week "is mathematically more secure" than a PIN, Cadbury said. "There are about 480 times more permutations than for a four digit passcode."
There are 7,290 non-repeating digit combinations of a four-digit PIN, compared to 3.5 million variations in Intelligent Environment's four-image emoji login system, which does not allow repeating emoji. Users choose from among 44 emoji.
Emoji Passcode comes at a time when the financial services and payments industry as a whole is rethinking how to authenticate customers. Consumers not only have trouble keeping track of multiple usernames and passwords, but also choose passwords that are easy for them to remember, and thus easy for fraudsters to guess.
According to Cadbury, one-third of people forget their digital banking password or PIN and need to reset it, and of those that change a PIN, about one-fourth use the same PIN to enter their digital banking account as they use to authenticate their debit card. About 25% of consumers use a number that's easy to guess, a birthdate or wedding anniversary, he said.
Apple is addressing this issue in iPhones, which currently have a minimum PIN length of four characters. With the upcoming iOS9 update, Apple will change that minimum to six characters, thus shoring up security as it encourages more consumers to use its phones as mobile wallets.
Of course, iPhones also have a built-in fingerprint reader, as do many Android handsets. But fingerprint authentication is spreading slowly, and Cadbury notes that most smartphones can display emoji without requiring newer hardware.
Although the emoji security system may work well for logins, banks may prefer a more conventional security approach for transactions.
"There's a lot of interest in alternative methods for authentication," said David Poole, business development director at myPINpad, a mobile PIN security provider. Emoji Passcode "is a creative way for creating some buzz... but it's probably not going further than [login] and not authenticating for transactions."
Because banks cannot process emoji with the systems they use to accept alphanumeric characters, they are unlikely to redesign anything other than a mobile app for accepting smiley faces as authentication.
Cadbury agreed that emoji logins might not fit all banking and payments use cases. "We're not pretending this is scientifically a huge breakthrough, although it is a great improvement," he said.
But any advancement in security is a positive.
"The bigger picture is that people are looking to get innovative around this space... and multi-factor is becoming more topical," Poole said. "And mobile device lends itself to multi-factor."
MyPINpad authenticates cardholders via their mobile phones for ecommerce and mcommerce in-app transactions. The solution displays a PIN pad of numbers on a consumer's mobile device, presenting the numbers in random spots to deter keylogging and shoulder-surfing.