User Support
Welcome to the PixelPin user support. Here you should be able to find help on various topics including how to use PixelPin effectively & what to do if you get stuck. Opposite are some of our most frequently asked questions.


What do I do if I forget my Passpoints?

You can easily reset your Passpoints by selecting the ‘I’ve forgotten’ link. You’ll then receive an email with a link to your security question, answer your security question and you can then reset your Passpoints.

Where can I use PixelPin?

You can use PixelPin to sign in to any website or app that uses PixelPin. The list of sites using PixelPin is growing.

Can I have multiple pictures?

No – The idea behind PixelPin is that you use one picture to sign in everywhere. If you come across a site that uses PixelPin and you already have a PixelPin account you will be able to sign up to that site easily using PixelPin and use your picture as normal.

Can I change my picture?

Yes – We recommend changing your picture as often as you like (provided it’s a strong picture with lots of potential Passpoints). Once you’ve signed into your PixelPin dashboard you can change your picture or your Passpoints.

Can I change my Passpoints?

Yes – You can change your Passpoints once you’ve signed in to your PixelPin dashboard.

Is PixelPin secure?

Yes – the number of potential Passpoints on a picture is far greater than the number of characters and numbers on a keyboard. Therefore a picture is much more secure than a 4 digit PIN on a phone or a standard password.

Can I use my own picture?

Yes – you are encouraged to use your own picture as it makes remembering the Passpoints a lot easier. There is a growing body of academic research suggesting people remember images better than words which links to the Picture Superiority Effect (PSE).

What is the best sort of picture to use?

Choose a picture that you have a personal connection with. It’s important to pick an image with lots of points of interest to ‘click’ on – but make sure you don’t pick obvious Passpoints, like 4 faces in a row. A good example of a good picture to use is the tube map. Don’t forget, the order is important too.

Am I choosing objects or points in the picture?

A common mistake people make with PixelPin is that they think it’s possible to select a whole object or a person in a picture and that that counts as a ‘Passpoint’, this is not the case. When you set up a PixelPin account it is important to choose specific ‘points’ in your picture rather than areas. The confirmation of Passpoints step in the signup process should help you choose your Passpoints precisely.

What happens if I make a mistake?

You just start again. You have 3 opportunities to get it right. If you still make a mistake you will need to reset the Passpoints using the ‘Forgotten Passpoints’ procedure. For security purposes if you enter your Passpoints incorrectly too many times your account will be locked for 15 minutes. There is also a delete button if you enter a Passpoint incorrectly.

Can I use the same picture on my phone and laptop?

Yes – PixelPin is a cross platform solution so you will be able to sign in to a particular website or app using the same picture from wherever you want. PixelPin works on PC, laptop, tablet and smart phone.

I signed up for PixelPin, but I have not received a confirmation email.

Try checking your spam box. You must verify your email address by clicking on the link in this email before you can use PixelPin.

Are fingerprints a better solution than pictures or passwords?

Fingerprint security is a biometric solution where you use your own body to authenticate yourself. Clearly biometrics tend to be very secure, but it is not possible to ‘reset’ your fingerprints so you need to be confident that if you offer them to an organisation they will look after them securely. PixelPin believes that biometrics are not appropriate for normal day to day authentication needs. No hardware is required for Pixelpin – it will work on any smartphone, tablet or computer you already have.

My fingers are quite large, will it still work on a touch screen?

Yes – PixelPin will work for anyone.

I keep forgetting my passpoints.

Make sure you choose a picture you have a personal connection with, it also helps if you tell yourself a story when selecting your Passpoints. For instance, if you’re using a picture of a map of the world, you might choose 4 countries you have visited. It also helps to use PixelPin as frequently as possible.

How do I set-up 2-factor?

Step 1- Sign in with PixelPin on desktop

Step 2a- Please record your emergency codes

Step 2b- After logging in with PixelPin on the desktop, set-up 2-factor using another device and open the PixelPin app. Click register 2-factor code and the camera opens to scan the QR code that is on the desktop

Step 3- The device will then generate a time-based one-time password (TOTP)

Step 4- The user enters the code onto the desktop and clicks verify.

Step 5- 2-factor set-up is complete

How do I use 2-factor on desktop?

Step 1- Sign in with PixelPin

Step 2- At the next login, the PixelPin app generates a TOTP

Step 3- The user enters the code and clicks ‘verify’

Step 4- The users chosen image would appear

Step 5- The user enters their Passpoints

Step 6- 2-factor login is complete

How do I use 2-factor on mobile?

Step 1- Sign in with PixelPin

Step 2- At the next login, the PixelPin app generates a TOTP

Step 3- The users chosen image would appear

Step 4- The user enters their Passpoints

Step 5- 2-factor login is complete


Developer Support
Welcome to the PixelPin developer support . Here you should be able to find help on various topics including how to integrate PixelPin effectively & what to do if you get stuck.


What is PixelPin?

PixelPin is an authentication system that uses pictures instead of passwords. Instead of typing in an email address and a password, you type in an email address and click 4 points on an image.

How secure is it?

In terms of numbers, an 8 digit alphanumeric password (a-z,A-Z,0-9 + 10 punctuation marks) has a potential 7.2 x 10^14 combinations – the reality is that most people use only one of a few hundred common passwords. PixelPin on the other hand depends on the size of the input device and the image complexity as to where a person is likely to click but an estimate based on a mobile (3 x 5 inches) screen at 1/4 inch spacing is 3.3 x 10^9 or if only used on the desktop, 9.4 x 10^14. The real question on security however is not how many combinations but how easy is it to brute force – both to get the data to brute force and also to mechanically carry out the brute-force attempt. Both of these are close to impossible with PixelPin.

How is PixelPin better than Facebook or Google login?

Google and Facebook are both probably well implemented systems that are hard to brute-force and hard to hack. What PixelPin adds that none of these other providers do is both the user experience of using pictures, something that is much more acceptable than password management but also an increased memory capacity due to the pictorial superiority effect (we remember pictures more easily!) so password resets are reduced, passwords are not written down, they cannot easily be shared across the phone, they cannot easily be used in phishing attacks since the picture is personal to the user whereas a login and password box are not.

Why do I need to register for a PixelPin account?

All single-sign-on services require you to create an account. This is both to track your usage and also to ensure that the user is not being tricked into logging onto a site pretending to be someone else.

Why do I need to use a valid email address?

It is important that if we need to contact you regarding system updates/changes, that we can reach you. This email address will be verified to ensure you use a valid address but you should also keep this up to date. We will not use this email address except for important updates or very occasionally product updates related to PixelPin.

What is a return uri (Uniform Resource Identifier)/where do I find it?

Part of the message flow for OAuth2 is for the client to tell PixelPin which url (Uniform Resource Locator) to return to once authentication has occurred (or failed). For security reasons, this must be registered with your account to ensure that someone doesn’t use your PixelPin account login but redirect back to somewhere else. To find it, you should either refer to your plugin documentation or otherwise attempt to login using PixelPin which will redirect your browser and where you can then retrieve the return uri from the querystring. Note you need to remove the url encoding from this querystring before registering it (you can do that online).
When the system compares the return uri from the querystring to the one you have registered, it strips the querystring and any trailing slashes and is also case-insensitive. Note that the protocol (http/https) and the hostname/path must match. e.g. If you registered

What systems/frameworks/languages does PixelPin support?

PixelPin for single-sign-on uses HTTP and REST which can potentially be called from any web-enabled language. PixelPin currently provides plugin code for HybridAuth which supports many frameworks in PHP (see HybridAuth) for details and also a plugin for .Net which can be used with the open source DotNetOpenAuth library. Further frameworks and language plugins will be considered based on sales enquiries/demand and capacity for development.

Does PixelPin provide a plugin/Javascript for client-based authentication?

Not currently – The idea of the client-based authentication is that using Javascript means the user’s browser can redirect to PixelPin without needlessly involving the client web-server. However, after this, the server is then involved with the remainder of the OAuth2 handshake. This is on our list of future developments.

How should PixelPin be integrated into my site design?

It is important to be consistent with logins on other sites so that your users will understand what is happening when you sign in with PixelPin. This usually means that they should click a button, which says, “login with PixelPin” (there is an example on the Developer home page) before they leave your site and arrive at the PixelPin site. If you have alternative social logins to PixelPin, then this will usually be a button alongside other buttons. If PixelPin is the only login, you should still have the button and should not automatically redirect from a link or button that simply says, “login” since your user will probably not expect this.

What is your data privacy policy and how securely is the data stored?

PixelPin does not have a business model that involves selling or sending your data to any third-parties so it is in our best interests to store it as securely as possible. Without giving away too many secrets, ALL personal information including email addresses, names and security questions/answers are either hashed using SHA512 so no-one can read them (including us!) or encrypted using AES 256bit. These are considered by many to be top-level encryption and hashing algorithms so even if your data could be read from the database, it is unlikely to be of much use to anyone.

Does PixelPin work with any secret services such as the NSA /GCHQ to share useful information?

No – We cannot be compelled under any non-UK laws to reveal any information or give any “back doors” into our system. UK laws are currently quite public and require a judge to agree to any information being released to any third-parties although we try and keep our system as “zero knowledge” as possible so that we wouldn’t have anything useful to share! The most information we potentially have is whether you (or someone with your login details!) logged in via PixelPin to a specific site and when that occurred. We would ensure that such information would only be requested for good reason and not just a fishing expedition!

How can we know that you designed and built PixelPin properly?

We contracted (the award winning) IRM plc of Cheltenham, an independent professional testing organisation, to conduct a code review of our system. They discovered a few minor flaws that have since been fixed.

What processes were involved during the design and build of PixelPin?

We used the OWASP security checklists at every stage to ensure that every risk had been considered and mitigated where possible. Much of the good-practice security is built-in to later versions of ASP.Net&

Could you have possibly inherited risks from older or third-party software?

No – This is a brand new system and was not based on something older. Also, the use of third-party software is minimal and certainly not in the main flow of the application.

Do you harvest images?

No – Your image is used purely for logging in. That said, we have image filtering and skin tone detection so please don’t use anything illegal or that would cause offence to the general public or your account might be disabled or deleted. If this happens, you will be notified by email.


For Further Assistance
Please contact: support@pixelpin.co.uk