A while back, I woke up to find my Android phone lingering at a pattern unlock screen. Not just to unlock my screen, but a prompt to decrypt all of my phone’s data. I was puzzled. Every other morning, I decrypted my device using a 10-digit, alphanumeric passphrase—something I perceived, accurately, as being infinitely more secure than tracing a dumb pattern with my finger.
As it turned out, my phone had performed a software update and this was one of its new features. I couldn’t figure out why, but my phone had significantly downgraded my security. Stupid, stupid phone.
A joint study published this week by researchers at the US Naval Academy and the University of Maryland Baltimore County offers further proof that using an unlock pattern is an incredibly dumb way to secure a mobile device. First reported by Wired, the study shows that around two-thirds of people are able to recreate patterns after watching others input them once, even from five or six feet away. This is opposed to a six-digit PIN code, which only 1-in-10 subjects could recreate after a single look.
The reason is fairly obvious; human brains are specifically wired to recognise and recall patterns. In fact, our proclivity for patterns is one of the neat things that sets us apart from the rest of the animal kingdom. It is inherent to our unique intelligence. Accordingly, a secret passphrase should not be something a stranger on a train can memorise after seeing you input it once from six seats away.
According to Wired, 1,173 subjects took part in the tests. Each was exposed to controlled videos depicting people unlocking their phones from a variety of angles. They were then asked to try and guess PINs and unlock patterns. After two viewings, around 80 per cent of the subjects could reproduce the pattern; 64 per cent could do it after one viewing. Even after watching someone enter a six-digit PIN twice, only 27 per cent of the subjects could reproduce it correctly.
Here’s what those viewing angles look like, taken from a copy of the research published on the Naval Academy’s website:
Towards Baselines for Shoulder Surfing on Mobile Authentication - United States Naval Academy.
The overall goal, the researchers wrote, was “establishing baselines for how current authentication performs against shoulder surfing, as well as provide insight into settings of current authentication that can protect users from shoulder surfing.” (The study’s authors are Adam Aviv, John Davin, and Flynn Wolf from the US Naval Academy and Ravi Kuber of the University of Maryland.)
If that’s not enough, a 2015 study showed that a majority of users only use four nodes for pattern unlocks, and roughly 77 per cent always start their patterns in one of the four corners; almost half start in the upper left-hand corner. And whether they realise it or not, around 10 per cent of users prefer to use the shape of a letter. We humans are incredibly predictable.
This all may seem a bit obvious, but perhaps knowing a controlled study exists that backs up your well-reasoned assumptions is enough to warn you off pattern-based passwords. A six-digit PIN might take a fraction of a second longer to input—UGH, so long—but it’s better than having your phone stolen and all your freaky photos dumped online. Think about it. [Wired, US Naval Academy]