Full Program »
Android’s graphical authentication mechanism requires users to un- lock their devices by “drawing” a pattern that connects a sequence of contact points arranged in a 3x3 grid. Prior studies have shown that human-generated patterns are far less complex than one would desire; large portions can be trivially guessed with sufficient train- ing. Custom modifications to Android, such as CyanogenMod, offer ways to increase the grid size beyond 3x3, and in this paper we ask the question: Does increasing the grid size increase the security of human-generated patterns? To answer this question, we conducted two large studies, one in-lab and one online, collecting 934 total 3x3 patterns and 504 4x4 patterns. Analysis shows that for both 3x3 and 4x4 patterns, there is a high incidence of repeated patterns and symmetric pairs (patterns that derive from others based on a sequence of flips and rotations). Further, many of the 4x4 pat- terns are similar versions of 3x3 patterns distributed over the larger grid space. Leveraging this information, we developed the most advanced guessing algorithm in this space, and we find that guessing the first 20% (G_0.2) of patterns for both 3x3 and 4x4 can be done as efficiently as guessing a random 2-digit PIN. Guessing larger portions of 4x4 patterns (G_0.5), however, requires 2-bits more entropy than guessing the same ratio of 3x3 patterns, but the entropy is still on the order of cracking random 3-digit PINs. These results suggest that while there may be some benefit to expanding the grid size to 4x4, the majority of patterns will remain trivially guessable and insecure against broad guessing attacks.
Author(s):
Adam Aviv
United States Naval Academy
United States
Devon Budzitowski
United States Naval Academy
United States
Ravi Kuber
University of Maryland, Baltimore County
United States