It's past time the world moves away from text-based passwords and verifications for mobile phones and starts embracing more secure image-based solutions, say computer scientists from the University of Surrey.

In a new study, Surrey scientists demonstrate an image-based authentication system called TIM (Transparent Image Moving) for mobile phones to help reduce the risk of shoulder surfing attacks. TIM requires users to select and move predefined images to a designated position for passing authentication checks, similar to those required for online shopping.

The proof-of-concept study found that 85% of TIM users believed it could help them to prevent password guessing and shoulder surfing attacks. The study also found that 71% of participants think TIM is a more usable image-based solution than others on the market. The research has been published in the Journal of Information Security and Applications.

Dr. Rizwan Asghar, co-author of the paper for the University of Surrey, said, "We spend much of our lives on our mobile phones, and we depend on them for activities such as banking, shopping and for keeping up with our loved ones. However, it is striking how little innovation and progress has been made in how we protect this activity and our most private information. We believe imaged-based and interactive authentication processes like TIM are a step in the right direction."

Shoulder surfing is a security attack in which someone records sensitive information, such as passwords or credit card numbers, entered by a victim on a computer screen or a mobile device by looking over their shoulder or from a distance. Shoulder surfing attacks often occur in crowded public places such as airports, coffee shops, or public transportation.

Dr. Asghar states, "The current text-based status quo offers trade-offs between usability and security. While short text-based passwords are easy to remember, they are not secure enough and leave you vulnerable to password guessing or shoulder surfers. Long-text passwords are winners in terms of security but are incredibly difficult for users to remember.

"It's promising that many of our participants found TIM to be useable and didn't find the learning curve to be too steep. This suggests that the market could be ready for image-based alternatives to mobile security."