Skip to main content
SpringerLink
Log in

A cross-setting study of user unlocking behaviour in a graphical authentication scheme: a case study on android Pattern Unlock

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Pattern Unlock studies have shown that users’ patterns exhibit biases that could result in ease of compromise. These biases range from the choice of pattern start node, pattern length, pattern frequency and pattern association with digits and characters. In this work, we show that users are not to be blamed entirely for the biases exhibited as the authentication method has an inherent weakness that may have contributed to the user biases. In addition, the strengths of user-selected patterns were studied using an adaptive probability model (alternative to the 3-gram Markov model). The adaptive approach estimates the node probability not based on the previous two nodes but all previously selected nodes. The approach ensures the precise measure of the strength of user patterns—and the results show that the adaptive approach performs slightly better than the 3-gram model. Overall, the results were similar, indicating the low strength of user patterns and the need to strengthen the authentication. Furthermore, the study investigated the difference (if any) in user unlocking behaviour in two data collection methodologies (controlled and uncontrolled). The study claimed a significant difference in only one instance (length in the two methodologies), which means that the behaviour is consistent across methodologies. This highlights the feasibility of cross-methodology attack which has been recognised in this work. The findings in this paper are significant for users, developers (of the scheme) and researchers which collectively have to endeavour to minimise the weakness of the scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Data availability

The data used for this study are available from the corresponding author upon reasonable request.

References

  1. Andriotis, P., Tryfonas, T., Oikonomou, G.: Complexity metrics and user strength perceptions of the pattern-lock graphical authentication method, in human aspects of information security. Privacy Trust 8533, 115–126 (2014)

    Google Scholar 

  2. Andriotis, P., Oikonomou, G., Mylonas, A., Tryfonas, T.: A study on usability and security features of the android pattern lock screen. Inf. Comput. Secur. 24, 53–72 (2016)

    Article  Google Scholar 

  3. Andriotis, P., Kirby, M., Takasu, A.: Bu-dash: a universal and dynamic graphical password scheme. In: Moallem, A. (ed.) HCI for Cybersecurity. Privacy and Trust, pp. 209–227. Springer, Cham (2022)

    Chapter  Google Scholar 

  4. Angulo, J., Wästlund, E.: Exploring touch-screen biometrics for user identification on smart phones. In: Privacy and Identity Management for Life, pp. 130–143 (2012)

  5. Armstrong, R.A.: When to use the Bonferroni correction. Ophthalmic Physiol. Opt. 34(5), 502–508 (2014)

    Article  Google Scholar 

  6. Aviv, A.J., Budzitowski, D., Kuber, R.: Is bigger better? comparing user-generated passwords on 3\(\times \)3 vs. 4\(\times \)4 grid sizes for android’s pattern unlock. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 301–310 (2015)

  7. Aviv, A.J., Maguire, J., Prak, J.L.: Analyzing the impact of collection methods and demographics for Android’s pattern unlock. In: Proceedings of Workshop on Usable Security (USEC). Internet Society (2016)

  8. Blonder, G.E.: Graphical password. https://patents.google.com/patent/US5559961A/en (1994). Accessed 30 May 2022

  9. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 538–552 (2012)

  10. Calkins, M.W.: Short studies in memory and in association from the Wellesly college psychological laboratory. Psychol. Rev. 5(5), 451–462 (1898)

    Article  Google Scholar 

  11. Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. NDSS (2012)

  12. Clark, G.D., Lindqvist, J.: Engineering gesture-based authentication systems. IEEE Pervasive Comput. 14(1), 18–25 (2015)

    Article  Google Scholar 

  13. Colley, A., Seitz, T., Lappalainen, T., Kranz, M., Häkkilä, J.: Extending the touchscreen pattern lock mechanism with duplicated and temporal codes. In: Advances in Human–Computer Interaction, pp. 41-50 (2016)

  14. DataGenetics. Pin Analysis. http://www.datagenetics.com/blog/september32012/ (2015)

  15. De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and I know it’s you! Implicit authentication based on touch screen patterns. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 987–996 (2012)

  16. de Wilde, L., Spreeuwers, L., Veldhuis, R.: Exploring how user routine affects the recognition performance of a lock pattern. In: 2015 International Conference of the Biometrics Special Interest Group (BIOSIG), pp. 1–8 (2015)

  17. Dunphy, P., Yan, J.: Do background images improve draw a secret graphical passwords? In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 36–47 (2007)

  18. Forman, T., Aviv, A.: Double patterns: a usable solution to increase the security of android unlock patterns. In: Annual Computer Security Applications Conference, ACSAC ’20, pp. 219–233, New York, NY, USA (2020). Association for Computing Machinery

  19. Ibrahim, N., Sellahewa, H.: Android pattern unlock authentication—effectiveness of local and global dynamic features. In: 2019 International Conference of the Biometrics Special Interest Group (BIOSIG), pp. 1–5 (2019)

  20. Ibrahim, N., Sellahewa, H.: Touch gesture-based authentication: a security analysis of pattern unlock. In: IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8 (2017)

  21. Jeanjaitrong, N., Bhattarakosol, P.: Feasibility study on authentication based keystroke dynamic over touch-screen devices. In: IEEE 13th International Symposium on Communications and Information Technology (ISCIT), pp. 238–242 (2013)

  22. Jermyn, I.H., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th Conference on USENIX Security Symposium—Volume 8 (1999)

  23. Jurafsky, D., Martin, J.H.: Language Modelling with N-grams, chapter 4. Pearson (2014)

  24. Kabir, M.M., Hasan, N., Tahmid, M.K.H., Ovi, T.A., Rozario, V.S.: Enhancing smartphone lock security using vibration enabled randomly positioned numbers. In: Proceedings of the International Conference on Computing Advancements, ICCA 2020, New York, NY (2020). Association for Computing Machinery

  25. Khan, W.Z., Aalsalem, M.Y., Xiang, Y.: A graphical password based system for small mobile devices. Int. J. Comput. Sci. 5(2), 145–154 (2011)

    Google Scholar 

  26. Knill, K., Young, S.: Hidden Markov models. In: Young, S., Bloothooft, G. (eds.) Speech and Language Processing’. Corpus-Based Methods in Language and Speech Processing, pp. 27–68. Springer, Dordrecht (1997)

    Chapter  MATH  Google Scholar 

  27. Kutzner, T., Ye, F., Bonninger, I., Travieso, C., Dutta, M., Singh, A.: User verification using safe handwritten passwords on smartphones. In: Proceedings of 8th International Conference on Contemporary Computing, IC3 (2015)

  28. Kwon, T., Na, S.: Tinylock: affordable defense against smudge attacks on smartphone pattern lock systems. Comput. Secur., vol. 42, pp. 137–150 (2014)

  29. Loge, M., Duermuth, M., Rostad, L.: On user choice for android unlock patterns. In: Proceedings of the EuroUSEC (2016)

  30. Loge, M.D.: Tell me who you are and I will tell you your unlock pattern. Master’s thesis, Norwegian University of Science and Technology (2015)

  31. MacKay, D.J.C.: Probabilities and Inference, chapter IV. Cambridge University Press, Cambridge (2003)

  32. Martinez-Diaz, M., Fierrez, J., Galbally, J.: Graphical password-based user authentication with free-form doodles. IEEE Trans. Hum.-Mach. Syst. 46(4), 607–614 (2016)

    Article  Google Scholar 

  33. Mehta, C.R., Patel, N.R.: IBM SPSS Exact Tests. https://www.ibm.com/docs/en/SSLVMB_27.0.0/pdf/en/IBM_SPSS_Exact_Tests.pdf (2012). Accessed 30 May 2022

  34. Murray, H., Malone, D.: Convergence of password guessing to optimal success rates. Entropy, 22(4) (2020)

  35. Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 364–372 (2005)

  36. NordPass. Top 200 most common passwords of 2021. https://nordpass.com/most-common-passwords-list/ (2021)

  37. Sae-Bae, N., Ahmed, K., Isbister, K., Memon, N.: Biometric-rich gestures: a novel approach to authentication on multi-touch devices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 977–986 (2012)

  38. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 623–656 (1948)

    Article  MathSciNet  MATH  Google Scholar 

  39. Sherman, M., Clark, G., Yang, Y., Sugrim, S., Modig, A., Lindqvist, J., Oulasvirta, A., Roos, T.: User-generated free-form gestures for authentication: security and memorability. In: Proceedings 12th ACM International Conference on Mobile Systems, Applications, and Services (2014)

  40. Siadati, H., Gupta, P., Smith, S., Memon, N., Ahamad, M.: Fortifying android patterns using persuasive security framework. In: The Ninth International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies, p. 81 (2015)

  41. Song, Y., Cho, G., Oh, S., Kim, H., Huh, J.H.: On the effectiveness of pattern lock strength meters: measuring the strength of real world pattern locks. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2343–2352 (2015)

  42. Sun, C., Wang, Y., Zheng, J.: Dissecting pattern unlock: the effect of pattern strength meter on pattern selection. J. Inf. Secur. Appl. 19(4), 308–320 (2014)

    Google Scholar 

  43. Tolosana, R., Vera-Rodriguez, R., Fierrez, J., Ortega-Garcia, J.: Incorporating touch biometrics to mobile one-time passwords: exploration of digits. In: Proceedings of 8th International Conference on Computer Vision and Pattern Recognition Workshops, CVPR-W (2018)

  44. Trojahn, M., Ortmeier, F.: Toward mobile authentication with keystroke dynamics on mobile phones and tablets. In: 27th International Conference on Advanced Information Networking and Application Workshops, IEEE (2013)

  45. Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security of graphical passwords: the case of android unlock patterns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 161–172 (2013)

  46. von Zezschwitz, E., Eiband, M., Buschek, D., Oberhuber, S., De Luca, A., Alt, F., Hussmann, H.: On quantifying the effective password space of grid-based unlock gestures. In: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia, pp. 201–212 (2016)

Download references

Author information

Authors and Affiliations

  1. School of Computing, University of Buckingham, Buckingham, Buckinghamshire, MK18 1EG, UK

    Nasir Ibrahim & Harin Sellahewa

Authors
  1. Nasir Ibrahim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Harin Sellahewa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nasir Ibrahim.

Ethics declarations

Conflict of interest

The authors have no competing interest or conflict of interest to declare.

Ethical approval

Ethical approval was obtained from the University of Buckingham Ethics Committee, and all participants’ consent was obtained.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ibrahim, N., Sellahewa, H. A cross-setting study of user unlocking behaviour in a graphical authentication scheme: a case study on android Pattern Unlock. Int. J. Inf. Secur. 22, 1849–1863 (2023). https://doi.org/10.1007/s10207-023-00722-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00722-x

Keywords

Search

Navigation