How and why we built the emoji passcode

Author: Alan Brown

Fun, secure, usable – our emoji passcode caused a bit of a media storm. Here’s how and why we got from a bright idea to the launch of this brilliant bit of banking app authentication.

In case you didn’t notice, Intelligent Environments caused a bit of a ripple in the computer security press last month when we unveiled our latest feature for keeping hackers out of your sensitive banking data; our seriously fun, seriously secure emoji passcode.

Our emoji passcode is an optional feature that replaces our app’s standard numeric passcode with one based on emojis (pictographs).

It’s certainly a lot more fun to look at than a grid of numbers, and it is designed to be engaging, but it has a serious purpose—there are so many possible combinations (hundreds of times more than a normal passcode) that it’s really hard to crack.

An idea is born

Although lots of the features in our products are suggestions that originate from users this particular bright idea came from one of our own product brainstorming sessions.

We’re always looking for new ideas that can improve security and usability and this one came about at the same time the BBC were breaking the news about emoji being the fastest growing language in the UK.

There are a huge number of emoji pictographs available on apps like Twitter, Skype and WhatsApp and they add up to a very rich language. In fact it’s a perfect fit for the Millennial generation who want to communicate their thoughts and feelings with photos, tweets and short messages.

We thought that same richness could be used to improve security.

Security and usability

The security of our emoji passcode stems from the number of possible combinations of emojis that you can create. Our app uses a grid of 44 emojis, which gives a four character passcode almost four million permutations, a huge improvement over the ten thousand combinations you get from a four digit numeric passcode.

Early on we realised that we’d need to implement our app’s emoji keyboard as custom keyboard. In attempt to be helpful inbuilt keyboards remember and prompt you with the character combinations you’ve most recently used—it doesn’t matter how strong a passcode is if the phone is showing it to you!

The number of emojis in our grid is a balance between usability and security. We needed enough characters to provide a considerable improvement in security but not so many that people couldn’t remember which ones they’d chosen.

To help people remember their combination we tried to choose emojis that are distinct and won’t be easily mistaken for each other. Our standard pictographs are drawn from a set produced for Twitter too so that many users will already be familiar with them.

Since we launched it last month a lot of people have asked us why we didn’t scramble the emoji grid. The theory being that if the order of the emojis is different each time they appear then users won’t choose insecure combinations such as all the characters in one row or column. It also makes it harder for thieves to guess your passcode combination from the finger marks you leave on the screen.

We thought about it, but in the end we decided that scrambling the order of the emojis would make it too confusing, difficult and ultimately slow to use. Banking apps need to be accessible quickly so that people can use them in spare moments and users will often look at them several times a day.

It’s our view that our new passcode is already a huge improvement over the standard numeric system and the best way of improving security further, against all forms of attack and without sacrificing usability, would be to use the emoji passcode as one part of a two-factor authentication scheme. Personally I think it would work extremely well with a frictionless biometric such as face or fingerprint recognition.

Building it

Once we got the green light to build the emoji passcode facility it took our Mobile App Development team and UX designers less than ten days to take the idea from a standing start, through corridor usability testing to production-ready code.

Obviously an effective solution for something as critical as this has to have both excellent programming and excellent design and usability.

That demands close cooperation—something you don’t get with traditional forms of software development.

If software is built in distinct design and development phases, or by segregated design and development teams, it’s easy for problems to occur because each discipline can derail the other without realising.

Our product development teams use an Agile methodology which means that the designers and developers who created the emoji passcode are sat within ten meters of each other and they work on problems together, at the same time.

The result is smiley faces all round 😉

23 Jul 2015

Author: Alan Brown

Fun, secure, usable – our emoji passcode caused a bit of a media storm. Here’s how and why we got from a bright idea to the launch of this brilliant bit of banking app authentication.

In case you didn’t notice, Intelligent Environments caused a bit of a ripple in the computer security press last month when we unveiled our latest feature for keeping hackers out of your sensitive banking data; our seriously fun, seriously secure emoji passcode.

Our emoji passcode is an optional feature that replaces our app’s standard numeric passcode with one based on emojis (pictographs).

It’s certainly a lot more fun to look at than a grid of numbers, and it is designed to be engaging, but it has a serious purpose—there are so many possible combinations (hundreds of times more than a normal passcode) that it’s really hard to crack.

An idea is born

Although lots of the features in our products are suggestions that originate from users this particular bright idea came from one of our own product brainstorming sessions.

We’re always looking for new ideas that can improve security and usability and this one came about at the same time the BBC were breaking the news about emoji being the fastest growing language in the UK.

There are a huge number of emoji pictographs available on apps like Twitter, Skype and WhatsApp and they add up to a very rich language. In fact it’s a perfect fit for the Millennial generation who want to communicate their thoughts and feelings with photos, tweets and short messages.

We thought that same richness could be used to improve security.

Security and usability

The security of our emoji passcode stems from the number of possible combinations of emojis that you can create. Our app uses a grid of 44 emojis, which gives a four character passcode almost four million permutations, a huge improvement over the ten thousand combinations you get from a four digit numeric passcode.

Early on we realised that we’d need to implement our app’s emoji keyboard as custom keyboard. In attempt to be helpful inbuilt keyboards remember and prompt you with the character combinations you’ve most recently used—it doesn’t matter how strong a passcode is if the phone is showing it to you!

The number of emojis in our grid is a balance between usability and security. We needed enough characters to provide a considerable improvement in security but not so many that people couldn’t remember which ones they’d chosen.

To help people remember their combination we tried to choose emojis that are distinct and won’t be easily mistaken for each other. Our standard pictographs are drawn from a set produced for Twitter too so that many users will already be familiar with them.

Since we launched it last month a lot of people have asked us why we didn’t scramble the emoji grid. The theory being that if the order of the emojis is different each time they appear then users won’t choose insecure combinations such as all the characters in one row or column. It also makes it harder for thieves to guess your passcode combination from the finger marks you leave on the screen.

We thought about it, but in the end we decided that scrambling the order of the emojis would make it too confusing, difficult and ultimately slow to use. Banking apps need to be accessible quickly so that people can use them in spare moments and users will often look at them several times a day.

It’s our view that our new passcode is already a huge improvement over the standard numeric system and the best way of improving security further, against all forms of attack and without sacrificing usability, would be to use the emoji passcode as one part of a two-factor authentication scheme. Personally I think it would work extremely well with a frictionless biometric such as face or fingerprint recognition.

Building it

Once we got the green light to build the emoji passcode facility it took our Mobile App Development team and UX designers less than ten days to take the idea from a standing start, through corridor usability testing to production-ready code.

Obviously an effective solution for something as critical as this has to have both excellent programming and excellent design and usability.

That demands close cooperation—something you don’t get with traditional forms of software development.

If software is built in distinct design and development phases, or by segregated design and development teams, it’s easy for problems to occur because each discipline can derail the other without realising.

Our product development teams use an Agile methodology which means that the designers and developers who created the emoji passcode are sat within ten meters of each other and they work on problems together, at the same time.

The result is smiley faces all round 😉