Using a Blocklist to Improve the Security of User Selection of Android Patterns

Authors: 

Collins W. Munyendo and Miles Grant, The George Washington University; Philipp Markert, Ruhr University Bochum; Timothy J. Forman, United States Navy; Adam J. Aviv, The George Washington University

Abstract: 

Android patterns remain a popular method for unlocking smartphones, despite evidence suggesting that many users choose easily guessable patterns. In this paper, we explore the usage of blocklists to improve the security of user-chosen patterns by disallowing common patterns, a feature currently unavailable on Android but used by Apple during PIN selection. In a user study run on participants' smartphones (n = 1006), we tested 5 different blocklist sizes and compared them to a control treatment. We find that even the smallest blocklist (12 patterns) had benefits, reducing a simulated attacker's success rate after 30 guesses from 24 % to 20 %. The largest blocklist (581 patterns) reduced the percentage of correctly guessed patterns after 30 attempts down to only 2 %. In terms of usability, blocklists had limited negative impact on short-term recall rates and entry times, with reported SUS values indicating reasonable usability when selecting patterns in the presence of a blocklist. Based on our simulated attacker performance results for different blocklist sizes, we recommend blocking 100 patterns for a good balance between usability and security.

SOUPS 2021 Open Access Videos Sponsored by
Ethyca

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {274417,
author = {Collins W. Munyendo and Miles Grant and Philipp Markert and Timothy J. Forman and Adam J. Aviv},
title = {Using a Blocklist to Improve the Security of User Selection of Android Patterns},
booktitle = {Seventeenth Symposium on Usable Privacy and Security ({SOUPS} 2021)},
year = {2021},
isbn = {978-1-939133-25-0},
pages = {37--56},
url = {https://www.usenix.org/conference/soups2021/presentation/munyendo},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video