Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual Concepts

We describe three scenarios in which fallback authentication on smartphones can occur and evaluate their real-life occurrences in an online survey (n=244) and complementing interviews (n=12). The results provide first insights into frequencies, reasons, countermeasures taken and problems of lockout experiences. Overall, study participants were satisfied with current fallback schemes, but at the same time, fallback authentication was aggravated when special circumstances applied and thus, leave room for improvements. Based on this, we propose an alternative concept for fallback authentication that quizzes users about installed and not installed apps on their device. Authentication succeeds, when users identify a certain number of apps correctly. Our evaluation showed that the concept yields an overall accuracy of 95%.

[1]  Aaron Striegel,et al.  Modifying smartphone user locking behavior , 2013, SOUPS.

[2]  Patrick Gage Kelley Conducting Usable Privacy & Security Studies with Amazon ’ s Mechanical Turk , 2010 .

[3]  Heinrich Hußmann,et al.  I Know What You Did Last Week! Do You?: Dynamic Security Questions for Fallback Authentication on Smartphones , 2015, CHI.

[4]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[5]  Markus Jakobsson,et al.  Quantifying the security of preference-based authentication , 2008, DIM '08.

[6]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[8]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[9]  Heinrich Hußmann,et al.  Using icon arrangement for fallback authentication on smartphones , 2014, CHI Extended Abstracts.

[10]  Markus Jakobsson,et al.  Love and authentication , 2008, CHI.

[11]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[12]  M W Enkin,et al.  Using anecdotal information in evidence-based health care: heresy or necessity? , 1998, Annals of oncology : official journal of the European Society for Medical Oncology.

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[15]  Zhen Wang,et al.  Tales of 34 iPhone Users: How they change and why they are different , 2011, ArXiv.

[16]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.