Smartphones are an important part of everyday life for many people. They allow quick and easy access to online services such as banking, social media and even dating. Consequently, these devices can contain massive amounts of personal information. Many people use lock screens on their smartphones to protect their personal information and accounts; but exactly how they use them is unclear. The security and usability of unlocking mechanisms in controlled conditions are well understood. However, how different smartphone users choose unlocking mechanisms and how they work in the real world is still unknown.
Mahfouz, Muslukhov and Beznosov wanted to learn how people use Android smartphone devices ‘in the wild.’ They studied how these people lock, unlock and use their devices during their day-to-day activities. The researchers recruited 41 participants at the University of British Columbia and via social media. Participants installed an invisible monitoring tool from the Google Play store on their Android devices. The researchers monitored each device for 20 days, from December 2014 until March 2015. They collected information on the use of different unlocking mechanisms; such as number passwords (PINs), passwords and patterns. They also collected information on the ‘auto-lock timeout’ feature that automatically locks an unused device after a time period. Increasing the auto-lock gives attackers more time to get to an unlocked smartphone. Decreasing it or setting it to activate immediately by touching the power button reduces this window of opportunity.
Among the 41 participants, 22 locked their smartphones. Out of these 22, two locked their devices with passwords, fve with PINs and 15 with patterns. Participants who locked their smartphones interacted with their devices more often and for longer than those who did not. Most of these participants also changed auto-lock time: only six did not. Seven participants increased it to 30 minutes, while nine set it to activate immediately. Seven out of the nine participants also used patterns to unlock their smartphones. Patterns take very little time and effort, so users can easily afford the inconvenience of immediate auto-lock timeout. On average, the auto-lock feature was responsible for 11% of all device locking, and most devices remained unlocked for over a minute when not in use.
Patterns were the fastest unlocking mechanism. Participants entered patterns at a similar speed to PINs but signifcantly more quickly than passwords. Patterns unlocked their devices in 1.7 seconds on average, compared to 2.5 seconds for PINs and 4.1 seconds for passwords. However, PINs had the highest success rate. PINs were 5.5 times less likely to have mistakes than patterns and 6.3 times less than passwords. They also had the least amount of consecutive mistakes, but repeated mistakes were uncommon in general. Unlocking time seems to be important to smartphone users. Those who used patterns or PINs spent an average of 100 seconds each day unlocking their device compared to password users who spent 200 seconds doing so.
Participants appeared willing to tolerate a few mistakes here and there, as long as it meant they could still quickly unlock their devices. Due the low rates of repeated mistakes, consecutive errors could be an indicator of a guessing attack. Smartphone users seem to be picky about their unlocking methods and do not want to waste time. They appear to be willing to balance the effort and time needed to unlock their devices with the immediacy of automatic lock. Developers must consider the most appealing features of popular unlocking mechanisms when creating new models. They should consider models that are quick and convenient, even if they result in a few more failed attempts.
The speed and convenience of locking mechanisms appear to influence people’s locking habits.