Morse-Style Tap Codes for Mobile Authentication

Authenticating legitimate users of mobile devices in a manner that is both reliable and convenient is hard, which is why companies continue to experiment with approaches that try balance security and convenience. A freshly-minted Coin app asks users to authenticate by touching the phone’s screen to enter a sequence of short and long taps in the style of Morse code.

When starting the Coin app for the first time, the user needs to login using the traditional username/password pair. After that, the app asks the person to select a private Tap Code, which is “a Morse code-like sequence that you’ll use each time you open the Coin app. The Tap Code is a series of 6 taps, short or long.”

9

Anticipating the need to train people how to properly specify a Tap Code, the app requires users to practice entering a Tap Code before selecting their own, requesting that they “get a feel for long and short taps by practicing the pattern above.” Sadly, I failed several practice tests before eventually tapping in the right sequence. Tapping short and long codes is harder than you might think!

When the Coin app launches, it prompts the user to enter the “six element tap code.” The general approach of providing a quick way to authenticate to the app in lieu of typing the full password is present in many financial and other applications. However, those apps generally ask the user to enter a numeric PIN, rather than to tap a Morse-style code.

10

As a user of the Coin app, I struggled with the taps. Perhaps my thumb lacked the dexterity, or maybe my brain was intentionally sabotaging the experience to avoid the concentration that remembering and entering my tap sequence requires. Also, I kept forgetting my Tap Code.

When I failed to enter the correct sequence three times in a row, the app prompted for a full password as a way of deterring Tap Code guessing.

11

I applaud Coin’s attempt to provide an alternative to traditional PIN-based shortcut authentication approaches. Unfortunately, I find that the uniqueness of its Tap Code method negatively impacts the user experience, at least in the company’s present implementation of the mechanism. Though not as sexy, numeric PINs are familiar to people and work reasonably well. Authentication approaches based on gestures might be more familiar to users, too, especially on Android devices.

If innovative approaches to mobile authentication is interesting to you, check out these articles:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more