A number of people have looked to the potential of picture passwords, sadly with a big misunderstanding of their own.
There have been basically two types of propositions.
A. Selecting several easy-to-remember points on a big image -
It is impossible for a human to remember the position of the correct point to the accuracy of a pixel (which computers cannot be poor at). The software is required to make a judgement of whether the pixel picked up is close enough or too distant to the registered pixel. The judgement is dependent on the threshold that the computer programmer adjusts. This makes this method ‘probabilistic’, which brings the same problem that we see in biometrics, say, the presence of false acceptance and false rejection.
One vendor seems to have misguided themselves into wrongly believing that this method would bring a huge mathematical strength, with the probabilistic nature ignored. They killed their solution by the misunderstanding of their own.
B. Selection of the registered images embedded among decoys on a grid/matrix -
It looks impossible for ‘several images among dozens of decoys’ to achieve the mathematical strength required to stand the brute force attacks that break the entropy of 80 bits, 160 bits and so on. Most of the picture password developers seemed to be trapped in this misunderstanding of their own.
We know that it is not the case; Threats of ‘visual-manual attacks on display’ are very different to ‘automated brute force attacks’ on the data server. A figure of ’20-bits’, say, a million attempts, for instance, would be just a bad joke against automated attacks, whereas it would make a pretty tall wall against visual-manual attacks on display.
More on this topic is available to “Entropy of Image-based Password” https://www.linkedin.com/posts/hitoshikokumai_identity-authentication-password-activity-7057219727273693185-Mpgq
and “Cost Benefit of Using Images for Login” https://www.linkedin.com/posts/hitoshikokumai_identity-authentication-password-activity-7068832232307654656-5js9
To be candid, (A) was among the first round of our patent applications in 2000 but we soon decided to forget it for the reason explained above. We have since been persistently on the course of (B)
As for where we are now, you could visit “Mnemonic Gateways as Leading Digital Identity App” (updated 30May2023) https://www.linkedin.com/pulse/mnemonic-gateways-leading-digital-identity-app-hitoshi-kokumai/