A pilot study on the security of pattern screen-lock methods and soft side channel attacks

Abstract: Graphical passwords that allow a user to unlock a smartphone's screen are one of the Android operating system's features and many users prefer them instead of traditional textbased codes. A variety of attacks has been proposed against this mechanism, of which notable are methods that recover the lock patterns using the oily residues left on screens when people move their fingers to reproduce the unlock code. In this paper we present a pilot study on user habits when setting a pattern lock and on their percepti… Show more

“…One of our objectives when we designed the experiment was to evaluate previous results we presented during a pilot study which examined (in a similar way) if there exist any heuristic rules that are responsible for specific biases in the provided patterns [1]. The experiments in this study were conducted using a web application, thus, the participants were not really interacting with a smartphone device but with the monitor of their computer.…”

“…These are sub-patterns that exist in the password and provide information about the most common edges that were formed during the drawing of the pattern. A comparison with [1] shows that indeed the upper nodes are heavily utilized during password formation. Table 4 concatenates the results of our research describing user perceptions about the security of the Android Pattern-Lock method and their responses to our feedback prompt.…”

“…In a relevant case study [3] researchers demonstrated the vulnerabilities of touchscreens and conducted attacks (known as smudge attacks) on graphical passwords using the residues that were left on the screen. This information, in conjunction with behavioural biases traced from a pilot web survey, was used in [1] to perform attacks on the Android Pattern-Lock providing promising results. Our intention here is to confirm those results and examine how the users would react if they had the ability to be informed by the smartphone about the strength of the graphical password they chose.…”

“…We based our assumptions and definitions on our pilot study [1] which illustrated that there exist behavioural biases when humans create their graphical passwords. The basic heuristic rules we derived by the study are: (a) More than 50% of users start their patterns from the top left node, (b) a pattern that consists of less than 6 nodes is considered as not secure enough, (c) a secure password is the one that has more than 2 direction changes.…”

Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method

“…One of our objectives when we designed the experiment was to evaluate previous results we presented during a pilot study which examined (in a similar way) if there exist any heuristic rules that are responsible for specific biases in the provided patterns [1]. The experiments in this study were conducted using a web application, thus, the participants were not really interacting with a smartphone device but with the monitor of their computer.…”

“…These are sub-patterns that exist in the password and provide information about the most common edges that were formed during the drawing of the pattern. A comparison with [1] shows that indeed the upper nodes are heavily utilized during password formation. Table 4 concatenates the results of our research describing user perceptions about the security of the Android Pattern-Lock method and their responses to our feedback prompt.…”

“…In a relevant case study [3] researchers demonstrated the vulnerabilities of touchscreens and conducted attacks (known as smudge attacks) on graphical passwords using the residues that were left on the screen. This information, in conjunction with behavioural biases traced from a pilot web survey, was used in [1] to perform attacks on the Android Pattern-Lock providing promising results. Our intention here is to confirm those results and examine how the users would react if they had the ability to be informed by the smartphone about the strength of the graphical password they chose.…”

“…We based our assumptions and definitions on our pilot study [1] which illustrated that there exist behavioural biases when humans create their graphical passwords. The basic heuristic rules we derived by the study are: (a) More than 50% of users start their patterns from the top left node, (b) a pattern that consists of less than 6 nodes is considered as not secure enough, (c) a secure password is the one that has more than 2 direction changes.…”

Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method

“…shoulder surfing [21], [25] and brute force attacks [13]), as well as attacks that are unique to graphical passwords due to traces and oily residues left on the screen (i.e. smudge attacks [11], [9,10]. Andriotis et al [9,10] focused on human factors that might affect the choice of graphical passwords on a smartphone (such as sub-patterns and starting points), which in combination with smudge attacks can be used to infer the graphical passwords.…”

Exploring the Adoption of Physical Security Controls in Smartphones

Connecting Human to Physical-World: Security and Privacy Issues in Mobile Crowdsensing