Web Security

MapLoginTM - A novel map-based user authentication method

Prototype website: https://tildexe.appspot.com/


A method for logging in to websites (user authentication), by identifying a "secret" location instead of entering a normal textual password. Identifying this location is done by zooming in on a map/image (such  as Google Maps or similar service) and can be thought of as finding a "hidden treasure". Notice that it is the precise geographic coordinates (latitude/longitude) of a real object, identified by the user (for example: the sand trap on the 7th hole at the Pebble Beach golf course), that is stored on the server as a secret key.
This method can be offered as a service for the management of user accounts, equivalent to what the "log in with your Google or Facebook (OpenId) etc account" already provides, but with the benefit of being a more secure, convenient and independent alternative.


As outlined in "Has the time come to kill the password?" - passwords have many problems: a typical internet user must manage many passwords, often having different requirements on number of and type of allowed characters, which makes them hard to remember and manage. Also, entering a textual password on mobile devices (lacking a keyboard) can be very inconvenient.
At the same time, it is getting more difficult to protect websites (personal info) from intrusion by password hacking/cracking (e.g. hackers who targeted TurboTax).
So called "password managers" offer a way to simplify the management, while multi-step verification provides another layer of protection. However, neither option being ideal prompts the need for a more practical and secure alternative.


The secret location is identified by zooming in on a dynamic map, with gradually increasing resolution, effectively creating a series of Q&A challenges. A cross-hair, displayed over the map, determines the precise target location as the user pans the map. In order to minimize the number of zoom steps (clicks), a gazetteer is provided for selecting the initial location.


Obviously, security is the overarching goal and aside from standard practices, such as SSL encryption, the proposed method has the following unique advantages:
  •  No "password" is sent (neither clear-text nor encrypted)
  •  No actual coordinates are sent (only image pixel reference)
  •  No client caching of any kind
  •  Attacks can be quantitatively measured by distance from target and thereby repelled
The key is that identifying a location (pattern) on a map/image is a cognitive process that can't be "hacked".

Notice: that this isn't a normal Google Maps client. The map image is served in encoded form after being requested on the server (i.e. server acts as a broker to Google Maps/similar).