The L and Z shapes are the most popular. And most unsafe. Researchers from Bochum and the USA are investigating how to prevent users from using them.
Some services use a red-yellow-green bar to show users who set up a new password how secure the chosen string is. Such a hint is also under discussion for unlock patterns of Android smartphones. However, the concepts proposed so far in theory would not contribute to security. This is the conclusion reached by researchers from the Mobile Security working group at the Ruhr University in Bochum together with colleagues from the United States Naval Academy. The team around Maximilian Golla and Prof. Dr. Markus Dürmuth will present the results of the study at the Workshop on Usable Security and Privacy in San Diego on February 24, 2019.
Popular patterns easily predictable
If you set up a new unlock pattern on your Android smartphone so far, you will receive no feedback on the strength of the selected code. Various research groups have suggested giving feedback to the user via a colored bar. "The concepts for such a strength meter have so far all been based on visual properties. For example, they check the number of intersections in the pattern, the starting point, the length or whether there are overlaps," explains Maximilian Golla, PhD student in the Bochum Mobile Security working group at the Horst-Görtz-Institut für IT-Sicherheit.
However, the current study showed that these parameters had little to do with the actual strength of the unlock pattern. Irrespective of the complexity of the graphic code, it also depends on how well an attacker can guess the sequence. With the Android specifications, 389,112 different patterns are possible in principle on the three-times-three-point field. However, users have certain preferences, for example they tend to start at the top left and end at the bottom right. "This makes them easily predictable," says Golla.
New concept for strength meters
For around 4,600 unlock patterns selected by users, the German-American team investigated whether the strength meters proposed in theory would classify the patterns as safe or unsafe. The researchers then determined how easy it would actually be to guess the patterns. To do this, they simulated a realistic attacker who increased his chances of success by trying out a limited number of the most popular patterns.
In addition to testing the previously proposed starch meters, the researchers also developed their own proposal for a starch meter. They used a Markov model to do this; it takes advantage of the fact that people do not select successive components of a code independently of each other. In passwords, for example, certain combinations of letters are more common than others; similarly, certain paths in the Android unlock pattern are more popular than others.
The result of the analysis: The strength meters proposed so far do not reflect how easy it would be to guess a pattern in practice. In general, however, strength meters are useful because their mere presence motivates users to think about the code, the researchers say. "But we think it would make more sense if the strength meters were based on a probabilistic approach like the Markov model proposed here," says Maximilian Golla.
Preventing the simplest patterns
However, the scientists point out that it is not beneficial to get the user to enter the strongest possible pattern. This is because the Android operating system limits the number of possible guessing attempts, so excessive safety is not necessary. "Instead, we need to prevent users from using the most easily guessed patterns, such as the L or Z shape," says Golla. He and his colleagues are currently testing how this could work best.
In an ongoing user study, the researchers have participants estimate how safe certain unlocking patterns are in their opinion. In a next step, they want to examine how these assessments could be usefully incorporated into a starch meter. They want to construct a meter that appears more intuitive to the user and is therefore more accessible. In order to guarantee safety at the same time, the researchers are thinking about a kind of blacklist; this would, for example, contain the 200 most common patterns. If the user enters one of these patterns, the smartphone would warn him.
Maximilian Golla, Jan Rimkus, Adam J. Aviv, Markus Dürmuth: On the in-accuracy and influence of Android pattern strength meters, Workshop on Usable Security and Privacy (USEC), San Diego, USA, 2019
Mobile Security Working Group
Horst Görtz Institute for IT Security
Ruhr University Bochum
Phone: 0234 32 28667
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.