What’s safer? Using a numeric PIN code to unlock
your Android smartphone or relying on a finger squiggle?
Newly-released research suggests that, at least
when someone close by could be looking over your shoulder, you might be safer
with an old-fashioned PIN.
The research, presented in a paper entitled “Towards Baselines for Shoulder
Surfing on Mobile Authentication” by the United States Naval Academy
and the University of Maryland, tested what could best secure smartphones from
so-called “shoulder surfing attacks”.
So, if you’re worried about someone peeking over
your shoulder while you unlock your phone, would you be wiser to use a PIN or a
pattern?
According to this research at least, the answer to
that question is pretty clear.
Lurkers who have a single observation of your
screen as you unlock it with a swipe pattern will be successful in determining
your security squiggle 64.2% of the time (rising to an alarming 79.9% with
multiple observations). Security can be improved somewhat by removing feedback
lines on the pattern lock (35.3% success rate for shoulder surfers, rising to
52.1% with multiple observations).
By comparison, use of a six digit PIN dramatically
reduces the chances for an attacker to determine how to unlock your Android smartphone,
with just 10.8% successful attacks (rising to 26.5% with multiple
observations).
In tests, viewers were able to determine the
Android users’ lock screen patterns from up to six feet away, from a variety of
different angles, even after a single viewing.
Indeed, past research has determined that the
“randomness” of a unlock pattern is about the same as a three-digit PIN –
something I hope that none of us would rely upon.
The researchers’ conclusion is that PIN of six
digits or more is the most secure defence against shoulder surfing attacks, and
while both types of pattern lock are poor, patterns without lines provide
greater security. The length of the input also has an impact; longer
authentication is more secure to shoulder surfing. Additionally, if the
attacker has multiple-views of the authentication, the attŠacker’s performance
is greatly improved.
Unsurprisingly, the research confirmed that phones
with larger screens were found to provide less security against
shoulder-surfing attacks, and longer authentication (lengthier swipe patterns
or longer PIN codes) make life harder for criminals.
Of course, that doesn’t mean that *any* PIN code
should be considered secure, or that all swipe patterns are as
safe as each other. Past studies have revealed the most common PIN numbers,
and it’s clear that a six digit PIN like “123456” is going to be easier for an
attacker to crack than a truly randomly-generated code.
Just as hackers have built databases of the most
common passwords used to secure accounts, they have also learnt the most common
PIN codes and swipe patterns use to protect their phones.
It’s worth bearing in mind that if you’re really
worried about someone close by looking over your shoulder to snoop on your PIN
code or lock screen pattern maybe you would be better off protecting your
mobile device with a biometric (such as your fingerprint) instead. Biometrics
are not impossible to bypass, but in many cases they will be more than enough
to defeat anything less than a sophisticated attacker.