I came across the following link that describes GUI-based passwording systems:
http://blogs.zdnet.com/emergingtech/?p=137
In particular, the second system described by the article, which involves a field of randomly chosen shifting icons, really caught my attention. The system has a large library of icons, and the user picks a small handful to be password icons. The twist is, you never actually have to click one of your password icons on the login GUI, which keeps the password secret.
The logon screen consists of a grid of randomly chosen icons, with four of your password icons distributed somewhere on the grid. You locate the icons, and visualize that they're at the corners of an imaginary shape. You click inside that shape, and then the system randomly arranges the icons again. You then repeat the process, figuring out which four icons are from their set of password icons, and clicking inside the borders of the new invisible shape.
After a set number of clicks in the correct areas, the system can determine with a reasonable level of confidence that you actually know which icons are password icons and aren't just hitting the imaginary shapes by random chance. However, someone watching your clicks has no easy way of determining which icons actually make up the corners of your shapes. Depending on the size of the icon library, and the size of grid used for login, it's possible that if someone shoulder surfed a huge number of logins, pattern analysis would eventually pick out out the password icons, but it would not be an easy task.
Anyway, I figure a visually oriented, yet shoulder-surfing resistant password entry system is a perfect fit for the SR setting, especially with how widespread AR overlay is.