A Survey of Collection Methods and Cross-Data Set Comparison of Android Unlock Patterns

Android's graphical password unlock remains one of the most widely used schemes for phone unlock authentication, and it is has been studied extensively in the last decade since its launch. We have learned that users' choice of patterns mimics the poor password choices in other systems, such as PIN or text-based passwords. A wide variety of analysis and data collections methods was used to reach these conclusions, but what is missing from the literature is a systemized comparison of the related work in this space that compares both the methodology and the results. In this paper, we take a detailed accounting of the different methods applied to data collection and analysis for Android unlock patterns. We do so in two dimensions. First we systemize prior work into a detailed taxonomy of collection methods, and in the second dimension, we perform a detailed analysis of 9 different data sets collected using different methods. While this study focuses singularly on the collection methods and comparisons of the Android pattern unlock scheme, we believe that many of the findings generalize to other graphical password schemes, unlock authentication technology, and other knowledge-based authentication schemes

Double Patterns: A Usable Solution to Increase the Security of Android Unlock Patterns

Android unlock patterns remain quite common. Our study, as well as others, finds that roughly 25\% of respondents use a pattern when unlocking their phone. Despite known security issues, the design of the pattern interface remains unchanged since first launch. We propose Double Patterns, a natural and easily adoptable advancement on Android unlock patterns that maintains the core design features, but instead of selecting a single pattern, a user selects two, concurrent Android unlock patterns entered one-after-the-other super-imposed on the same 3x3 grid. We evaluated Double Patterns for both security and usability by conducting an online study with $n=634$ participants in three treatments: a control treatment, a first pattern entry blocklist, and a blocklist for both patterns. We find that in all settings, user chosen Double Patterns are more secure than traditional patterns based on standard guessability metrics, more similar to that of 4-/6-digit PINs, and even more difficult to guess for a simulated attacker. Users express positive sentiments in qualitative feedback, particularly those who currently (or previously) used Android unlock patterns, and overall, participants found the Double Pattern interface quite usable, with high recall retention and comparable entry times to traditional patterns. In particular, current Android pattern users, the target population for Double Patterns, reported SUS scores in the 80th percentile and high perceptions of security and usability in responses to open- and closed-questions. Based on these findings, we would recommend adding Double Patterns as an advancement to Android patterns, much like allowing for added PIN length