The most secure way to unlock your phone, revealed

Patterns provide far less protection than PINs

Aatif Sulleyman
Thursday 28 September 2017 11:54 BST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

People should stop using patterns to unlock their devices, researchers have warned.

A new study has found that it’s a lot easier for people who might be looking over your shoulder as you unlock your phone to memorise a pattern than a passcode.

So-called “shoulder surfing attacks” can be easy for a criminal to plan and execute, but you can protect yourself by switching to a PIN code and increasing its length from four digits to six, the researchers say.

They got over 1,000 volunteers to act as attackers, challenging them to memorise a range of unlocking authentications – four- and six-digit PINs, and four- and six-length paŠtterns with and without tracing lines – by watching a victim over their shoulder from a variety of angles.

The 5-inch Nexus 5 and 6-inch OnePlus One were the two handsets used in the study, as the researchers say they “are similar to a wide variety of displays and form factors available on the market today, for both Android and iPhone”.

The researchers also considered single and multiple views for the attacker and two different hand positions for the victim – single-handed thumb input and two-handed index-€finger input.

The study found that four-length patterns with visible lines were far easier to crack, as a result of shoulder surfing, than any other type of unlocking authentication they tested.

“We €find that PINs are the most secure to shoulder surfi€ng attŠacks, and while both types of paŠttern input are poor, pattŠerns without lines provides greater security,” the researchers, from United States Naval Academy and the University of Maryland, said.

“ŒThe length of the input also has an impact; longer authentication is more secure to shoulder sur€fing. Additionally, if the attŠacker has multiple-views of the authentication, the aŠttacker’s performance is greatly improved.”

In tests, 10.8 per cent of six-digit PINs were cracked after one observation. This figure rose to 26.5 per cent after two observations.

64.2 per cent of six-length patterns with tracing lines, meanwhile, were cracked after one observation. This rose to 79.9 per cent after two observations.

35.3 per cent of six-length patterns without tracing lines were cracked after one viewing, rising to 52.1 per cent after two viewings.

“Shorter paŠtterns were even more vulnerable,” said the researchers, who added that even people who use fingerprint or face-scanning technology to unlock their phones should be ary of their findings.

“Biometrics are a promising advancement in mobile authentication, but they can be considered a reauthenticator or a secondary-authentication device as a user is still required to have a PIN or paˆttern that they enter rather frequently due to environmental impacts (e.g., wet hands),” they said.

“ThŒere are also known to be high false negatives rates associated with biometrics. Further, users with biometrics o‰ften choose weaker PINs as compared to those without, suggesting that the classical unlock authentication remains an important aŠttack vector going forward.”

A separate study published earlier this year found that the majority of lock patterns can be cracked within five attempts.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in