Let’s start with some things we knew already: people are really bad at creating and remembering secure passwords and PINs.
We’re also bad at choosing and answering password recovery questions. Most of us can’t even cook up an unlock pattern for our Androids that’s not crazy easy to predict, be it by shoulder-surfing or the tell-tale streaks we leave with our greasy fingers.
Now, a new report (PDF) from security researchers at the US Naval Academy and the University of Maryland Baltimore County has quantified just how absurdly easy it is to do an over-the-shoulder glance that accurately susses out an Android unlock pattern.
As we explained a few years ago, a lockscreen pattern allows you to lock/unlock your device by swiping your finger on the screen, drawing a pattern that touches at least four and up to nine nodes. Just as with character counts in a passcode, the more nodes you touch in your pattern, the more secure your lock should be.
Unfortunately, while there are 389,112 possible patterns you could draw using four to nine nodes, when researcher Marte Løge analyzed 3400 user-selected patterns, she found that the most commonly selected patterns used just four.
That’s bad enough, but to make it even worse, most people do swipes in predictable patterns: they go from left to right, top to bottom, typically starting in a corner, often create patterns in the shape of a letter, and rarely backtrack over the space their fingers have already traversed.
That’s what we already knew.
What the Naval Academy/U of Baltimore security researchers did this time around was to form a baseline of exactly how easy it is for a snoop to reproduce our unlock patterns, and how much easier it is to glean a pattern vs a PIN.
In a nutshell: it is far easier for an attacker to shoulder surf a pattern than a PIN.
The large-scale study involved showing participants videos of phone users inputting PINs and unlock patterns, and then asking them to act as attackers by replicating what they’d seen.
No surprise here: They found that the longer (6-node) PINs are fairly tough to shoulder surf at first blush. Only about 10% of the “attackers” who took a single look at the video of a 6-character PIN got it right. That went up to about one in four with multiple viewings of the same video.
Compared to that, Android patterns that used 6 nodes were a breeze for the attackers. Their attack success rate was 64% with a single viewing of the video—a success rate that shot up to 80% with multiple views.
Naval Academy Professor Adam Aviv told Wired that it’s easier for humans to detect patterns than PINs because our brains are wired that way:
Patterns are really nice in memorability, but it’s the same as asking people to recall a glyph. Patterns are definitely less secure than PINs.
The researchers accounted for multiple conditions that could affect a shoulder surfing attack, including two common touchscreen sizes; they incorporated 5 different observation angles to simulate various observer vantage points; they considered different hand positions, such as single-handed thumb input vs two-handed index finger input; and they compared varying length PINs and swipe patterns, both with and without the feedback lines.
The researchers noted that disabling Android’s “feedback lines”—those lines that visually trace the pattern in the wake of a swiping finger—cut that attack success rate down to 35% for single viewings and 52% with multiple views. That’s still pretty high, but at least it’s a bit of a bone to throw to those who really, really like their pattern unlocking.
After all, patterns are better than no protection at all. As it is, exhausted users are increasingly just rolling over and playing dead, numbed by alarm fatigue at all the security protocols/security warnings/data getting crowbarred out of companies that can’t seem to figure out how to keep their data safe.
The best approach to securing your device is to use the longest PIN it will allow and the shortest lock out time you can stand.
Aviv, along with his fellow researchers, will present the paper at the Annual Computer Security Applications Conference in Puerto Rico in December.
David Pottage
We know that patterns are less secure, but they are much faster and easier to use than numeric passcodes. With pattern support, most people will tolerate a fairly short lock timeout, without them, they will want a longer timeout so they don’t have to enter the passcode so often.
A good compromise would be to require one or the other, depending on how long the phone has been locked for. So less than 30 seconds, and the phone stays unlocked, up to 5 minutes and a pattern can be used, more than 5 minutes would require a passcode.
Nobody_Holme
Feedback on pin code entry screen button presses looks like it was missed as a factor?
And again, I’m reminded of something I miss about blackberries, the good old physical keyboard that let you have easily entered proper passwords with low entry error rates and almost impossible shoulder surfing.
Anonymous
Is the left to right pattern because most languages are read that way? What about Chinese and Arabic speakers? Do they generally swipe left to right or right to left?
Laurence Marks
Well, back in late 1972 I did a master’s paper on character recognition of digits flashed on a screen for short periods, in sub-optimal conditions. I was looking at confusion between similar digits (5&8, 1&7, etc.). My correlations matched the test data if I convolved the two-dimensional Fourier transforms of the characters with a sweep from upper-left to lower-right, suggesting that even though we think we see an image in toto, we actually analyze it upper left to lower right. I had some Israeli data and it fit the same pattern, suggesting that Israelis also scan from top-left to bottom right.
I admit that I didn’t try the convolution from top-right to bottom-left, so I can’t rule out a top-to-bottom result that’s independent (or less dependent) on the lateral part.
Bryan
Very, very cool. Sounds like a seriously fascinating project. Thanks for sharing Laurence!
Security
Marte already wrote about it in her research :)
Anonymous
I don’t disagree that the authentication level isn’t as secure as the pin code or passcode, but there are additional problems if someone has physical access to your device anyways. Even if you do have a strong passcode for unlocking your phone that doesn’t mean that all of the data on the phone is encrypted. Although they could clone your phone to access the data that way. Also if someone steals your phone you would lose any data that’s not backed up, plus the cost of the replacement phone plus additional charges from the cellular carrier.
Max
On the flip side I would say it is more likely for a pattern to have more nodes than a digits in a PIN. Simply because adding more nodes doesn’t have much impact on convenience compared to adding more digits to a PIN. Would be interesting how a say 6-8 node pattern fares compared to a 4-digit PIN. I’d assume the over-the-shoulder attack success rate for 4-digit PINs is quite high.