The combination of using a computer for sensitive data (mandating use of a screensaver) and convertible laptops (ie. devices turning into a tablet) leaves a user opening his suspended device into tablet mode with no way to get past the password prompt.
Having a screensaver present a soft keyboard
The trivial approach, but more prone to interception due to reduced typing speed (only one hand), leaving taps on the surface and possibly visual feedback.
Fingerprint scanners
A widespread solution, but not all devices have one (read: mine does not), and the devices don't offer too much security.
Multitouch gestures
They could be either single-handed (more fingers) or dual handed (two thumbs). The issues of a soft keyboard or the unlock patterns of android devices would be mitigated by the requirement that the fingers interact in a coordinated fashion (eg. finger 1 moves up, then left, then 2 moves right, then up).
This approach looks most promising to me, but is also the hardest.
Develop a standalone multitouch gesture tool
This is required for setting a password anyway, and will show if sufficiently complex patterns can be learned easily at all.
Patch support for this into a single screensaver of choice.
How difficult are multitouch gestures to observe / memorize / reconstruct compared to passwords?
Can we move this into PAM? If yes: Does that buy us compatibility with all PAM-using applications?
Does a memorizable multitouch gesture contain enough reproducible entropy to be suitable as a code, eg. for decrypting LUKS volumes or keyrings?
If it turns out multitouch gestures are relatively easy to reproduce, would a scheme where the user has three attempts to input the correct gesture (and must then fall back to entering a password) help?
This is a very rough idea that needs more thought and research before experimentation makes sense.
--chrysn 2015-03-10
This page is part of chrysn's public personal idea incubator; go up for its other entries, or read about the idea of having an idea incubator for more information on what this is.