• Sign On

Everything I say about non-obscuring, and notes that you probably don't need it at all; devices are personal and those with secure info better lock the device -- device lock hints: make gestures clear, pattern codes, etc. ALSO, some notes about best practices for pattern and numeric unlock; it is easy to crack a lock by fingerprinty screens, so if truly high security, make it random position -- variation maybe cut by not design but security requirements, and designs that fall from that... Low: None, Mid: Pin/Pattern, High:??? + randomizing and non-form systems so the handset has no way of thwarting you and saving the entry

Problem

Solution

Do not require explicit authentication by default. Mobiles are personal, so only require authentication for first time entry, very high security situations, and for multi-user devices such as kiosks.

Personal mobile devices also all have built in security methods, so users can lock them if security conscious. During setup, you may remind users of these features instead of adding additional security to your application.

User identity, whenever known, should be used and as much information in the system displayed as possible before authentication gateways are passed. Authentication may then only require the password.

Authentication must be presented in context, so it is clear what system the user is gaining access to, and why the level of security is needed. Entry methods must be designed to encourage ease of access, and prevent miskeying.

Variations

Text/numeric entry, using conventional input methods, whether hardware or virtual

Virtual, changing pad

Pattern

Additional entry methods, such as voice, are not yet established enough to have best practices in the mobile space, and therefore no design patterns exist.

Remember that entry of credentials is not enough to count as a full security methodology. Recovery, reset and out-of-channel notifications are also required, but are systematic approaches outside the scope of this document. For very high security applications, multi-factor authentication, biometrics and token-based security systems (such as RSA SecureID) must also be considered.

Interaction Details

Pop-up or full screen

Text Entry not obscured usually...

Pad entry (on screen keypad, standard or custom - preference is to randomized if you go this way)

Pattern entry (on screen gestural shapes)

Provide links to seek help on entry, get more information on security of the system, and to recovery and/or reset methods.

Presentation Details

Title and describe... not just app, but section or process. If title does not imply why they need to authenticate, add a description

Label fields

If identified, provide additional user information, such as their avatar photo and name. Do not just ask for the password with no supporting information

Antipatterns

Use caution when obscuring fields. Do not assume that the default password method built into the OS is secure. Most still reveal the character being typed, as required in triple-tap text entry modes. If an obscured entry is required due to use as a kiosk, while attached to a projected device or in other shared situations, be sure to specify how obscured it must be.

Examples