It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception

A lot of research is being conducted into improving the usability and security of phone-unlocking. There is however a severe lack of scientic data on users’ current unlocking behavior and perceptions. We performed an online survey (n = 260) and a one-month eld study ( n = 52) to gain insights into real world (un)locking behavior of smartphone users. One of the main goals was to nd out how much overhead unlocking and authenticating adds to the overall phone usage and in how many unlock interactions security (i.e. authentication) was perceived as necessary. We also investigated why users do or do not use a lock screen and how they cope with smartphone-related risks, such as shouldersurng or unwanted accesses. Among other results, we found that on average, participants spent around 2.9 % of their smartphone interaction time with authenticating (9 % in the worst case). Participants that used a secure lock screen like PIN or Android unlock patterns considered it unnecessary in 24.1 % of situations. Shoulder surng was perceived to be a relevant risk in only 11 of 3410 sampled situations.

[1]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[2]  Karin Strauss,et al.  Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications , 2012, SOUPS.

[3]  Ian Oakley,et al.  CASA: context-aware scalable authentication , 2013, SOUPS.

[4]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[5]  Marc Langheinrich,et al.  Back-of-device authentication on smartphones , 2013, CHI.

[6]  Lorrie Faith Cranor,et al.  Are your participants gaming the system?: screening mechanical turk workers , 2010, CHI.

[7]  Sung-Hwan Kim,et al.  A new shoulder-surfing resistant password for mobile environments , 2011, ICUIMC '11.

[8]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[9]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[10]  Karen Renaud,et al.  You only live twice or "the years we wasted caring about shoulder-surfing" , 2012, BCS HCI.

[11]  Andreas Möller,et al.  Investigating self-reporting behavior in long-term studies , 2013, CHI.

[12]  Sheikh Iqbal Ahamed,et al.  ePet: when cellular phone learns to recognize its owner , 2009, SafeConfig '09.

[13]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[14]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[15]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[16]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[17]  Anna Cuxart,et al.  What Risks Do People Perceive in Everyday Life? A Perspective Gained from the Experience Sampling Method (ESM) , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[18]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[19]  Xi Chen,et al.  Implicit User Re-authentication for Mobile Devices , 2009, UIC.

[20]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[21]  James A. Landay,et al.  Conducting In Situ Evaluations for and With Ubiquitous Computing Technologies , 2007, Int. J. Hum. Comput. Interact..

[22]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[23]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[24]  Stuart E. Schechter,et al.  Can i borrow your phone?: understanding concerns when sharing mobile phones , 2009, CHI.

[25]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[26]  Ling Bao,et al.  A context-aware experience sampling tool , 2003, CHI Extended Abstracts.

[27]  Sari Kujala,et al.  Emotions, experiences and usability in real-life mobile phone use , 2013, CHI.

[28]  Nuria Oliver,et al.  A Refined Experience Sampling Method to Capture Mobile User Experience , 2009, ArXiv.

[29]  K. Srinathan,et al.  WYSWYE: shoulder surfing defense for recognition based graphical passwords , 2012, OZCHI.

[30]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[31]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[32]  J. C. Flanagan Psychological Bulletin THE CRITICAL INCIDENT TECHNIQUE , 2022 .

[33]  Patrick Gage Kelley Conducting Usable Privacy & Security Studies with Amazon ’ s Mechanical Turk , 2010 .

[34]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.