Turning mobile security upside down

Hackers won’t know which way your passcode points with this patent 

By James Kozloski, Computational and Applied Neuroscience scientist, IBM Research 

How many numbers long is your smartphone’s log in passcode? The standard four digits? (If you don’t use a login password, you should!) Because my work email and calendar are on my phone, I have to enter an eight-digit code. Not a big deal until I’m trying to pay for coffee, and the barista asks me to rescan my bar-code, so I have to re-enter those eight digits again (and sometimes again) – with angry caffeine-deprived patrons in line behind me.

My ideas for patents are often completely different and separate from my day-to-day job in studying neuroscience. I actually spend most of my time with healthcare clients working on neuro-degenerative diseases, deep brain stimulation, and pharmaceuticals, trying to understand the relationship between brain tissue and the functions that the brain implements, such as behavior selection. I think of patents this way: what are the systems and methods around us that could be improved to solve a problem I’ve identified? So, even if I don't have the specific technical expertise, I can explain how something should work, and then seek out a colleague with the expertise to bring something to a patentable stage.

In commiserating about smartphone passcode follies with a colleague, we realized that alpha-numeric digits for a passcode could be reduced if coupled with an orientation, since adding orientation would actually change the probability that any one digit is actually the correct digit. Now, the question becomes: is the "2" right side up? Or is the "2" at a 90 degree angle? Just one digit has multiple possibilities. 

You could say that patent 8,832,823: “User access control based on handheld device orientation” came out of wanting to access my phone (and pay for coffee) faster!

Secure disorientation 

Think of device orientation like a keyboard’s “shift” key. It gives the device a new set of bits to access without needing a new physical key or character to enter. But the orientation precision needed is no greater than what’s needed to rotate a device’s screen. Easier to manipulate than a sticky “shift” key, but still difficult to guess – even if you password is “password.”

More options. Fewer keystrokes!

Turning your phone (or any mobile device with an accelerometer) as you enter a passcode is just one level of improved security. The patent also takes into account how to store the digits separately from the orientations. This means that even if your passcode is stolen (say from an online hack), your locally-stored orientations would prevent remote access. And vice versa, if your phone is stolen, there’s almost no chance the thief could replicate your “digit + orientation” passcode entry. 

Connecting a device’s local orientation, or accele-metric component, with alphanumeric codes stored by a remote web-based service (such as a bank or online store) means any website that requires a password can use this invention. Then locally, your phone’s OS can determine the orientation of portrait or landscape for a key press (regardless of character identity), and verify that the key press order – plus orientation order – is valid. And just as different passcodes give you access to different websites, different orientation passcodes could give you access to different parts of your phone. 

So, hopefully during a not-too-distant future stop for coffee, when I’m armed with a two-key orientation passcode – that only accesses a digital payment option (and not my work email) – I won’t drop my phone when I have to turn it upside down!

More about IBM's 2014 patent leadership 

• IBM sets patent record
• Patent powers a cleaner commute
• A new generation of young inventors
• Validating a (hack-free) web experience