Stop to Unlock - Improving the Security of Android Unlock Patterns

Android unlock patterns are among the most common authentication mechanisms on mobile devices. They are fast and easy to use but also lack security as user-chosen gestures are easy to guess and easy to observe. To improve the traditional pattern approach, we propose Stop2Unlock, a usable but more secure modification of the traditional pattern lock. Stop2Unlock allows users to define nodes where they stop for a limited amount of time before swiping to the next node. We performed a lab study (n=40) and a field study (n=14) to show that this small change in user interaction can have a significant impact on security with a minimal impact on usability. That is, user-selected Stop2Unlock patterns are significantly harder to guess while being comparable in terms of usability. Additional analysis showed that users perceived the stop component as a rhythmic and memorable cue which supported the selection of higher entropy patterns.

[1]  Daniel Vogel,et al.  Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing , 2018, CHI.

[2]  Heinrich Hußmann,et al.  SwiPIN: Fast and Secure PIN-Entry on Smartphones , 2015, CHI.

[3]  Adam J. Aviv,et al.  Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock , 2015, ACSAC.

[4]  Katharina Krombholz,et al.  Use the Force: Evaluating Force-Sensitive Authentication for Mobile Devices , 2016, SOUPS.

[5]  E. Altenmüller,et al.  Reduced recruitment of motor association areas during bimanual coordination in concert pianists , 2004, Human brain mapping.

[6]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[7]  S. Park,et al.  Musical training‐induced functional reorganization of the adult brain: Functional magnetic resonance imaging and transcranial magnetic stimulation study on amateur string players , 2004, Human brain mapping.

[8]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[9]  Konstantin Beznosov,et al.  On the Impact of Touch ID on iPhone Passcodes , 2015, SOUPS.

[10]  Edgar R. Weippl,et al.  Poster: The Petri Dish Attack - Guessing Secrets Based on Bacterial Growth , 2018 .

[11]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[12]  Florian Alt,et al.  Understanding Shoulder Surfing in the Wild: Stories from Users and Observers , 2017, CHI.

[13]  Serge Egelman,et al.  The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens , 2016, CHI.

[14]  Albrecht Schmidt,et al.  SmudgeSafe: geometric image transformations for smudge-resistant user authentication , 2014, UbiComp.

[15]  Jun Ho Huh,et al.  On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks , 2015, CHI.

[16]  Theodore Tryfonas,et al.  A pilot study on the security of pattern screen-lock methods and soft side channel attacks , 2013, WiSec '13.

[17]  Heinrich Hußmann,et al.  ColorPIN: securing PIN entry through indirect input , 2010, CHI.

[18]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[19]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Marc Langheinrich,et al.  Back-of-device authentication on smartphones , 2013, CHI.

[21]  Ian Oakley,et al.  Open Sesame: Design Guidelines for Invisible Passwords , 2012, Computer.

[22]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[23]  Florian Alt,et al.  Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication , 2017, CHI.

[24]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[25]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.