As mobile security concerns evolve, so do the number of options for protecting against unauthorized device access. Today, standard user authentication alternatives include PINs, traced patterns and biometrics. Yet with all of the different analyses on security levels and risks for each approach, how can IT administrators choose which one is right for their enterprise?
At the Annual Computer Security Applications Conference in Orlando, researchers from the U.S. Naval Academy and the University of Maryland presented a paper on lock screen security that looked in careful detail at shoulder surfing. This method of stealing personal information is completed by standing next to someone and looking at what’s on their phone screen.
The authors performed a series of tests using recorded videos of people unlocking mobile phones using PINs or with unlock patterns. They presented several different scenarios to participants: length of the unlock PIN or lock screen pattern, angle of view, number of times people could view the videos, use of lines showing unlock patterns, size of the phone and hand position.
The data showed that PINs are more secure than unlock patterns, while unlock patterns with trace lines are the least secure. This confirms what many security professionals have thought about the best lock screen security approaches: long PINs are better than short ones, and tracing a pattern on the screen is less secure than an un-traced pattern.
How Secure Are PINs?
Considering all of the scenarios researchers tested, shoulder surfers were able to reproduce PINs about one-third of the time, unlock patterns about half of the time and unlock patterns with trace lines about 75 percent of the time.
Furthermore, long PINs of six digits had the lowest recall rate, with shoulder surfers capturing them 20 percent of the time. Unlock patterns proved easier to remember, with participants recalling four-stroke patterns between 74 to 92 percent of the time.
Additionally, phone size, angle of observation and multiple observations all affect the ability of shoulder surfers to capture unlock codes or patterns.
When it comes to enterprise security, authenticating using PINs and patterns is easy. But PINs and patterns have their cons: they can be loaned, stolen, forgotten or guessed. Additionally, they suffer from poor non-repudiation.
Increasing Enterprise Security
These conclusions suggest a few action items for IT managers trying to keep on top of mobile security. Obviously, it’s a good idea to let end users in your organization know that unlock patterns with lines are significantly less secure than standard PINs, even short ones. A 4-digit PIN is about as easily guessed as a six-point unlock pattern, even without lines. So, a little education may help users increase security measures and protect themselves against shoulder surfing.
Technology-wise, biometric authenticators solve many of the issues associated with PINs and patterns. Benefits include:
Users always have their fingerprint or iris with them.
Users don’t have to constantly remember long passwords or lock patterns.
Logging on is a one-step process with an iris scanner or sensor.
Users don’t have to deal with password prompts or putting in tokens.
Biometric data is difficult to replicate.
As a best practice, IT managers considering biometrics should require any solutions they select to store the biometric data in a protected environment.
For example, Samsung smartphones keep fingerprints and iris data in their TrustZone trusted execution environment, which means that the biometric data can’t be stolen by anyone, even someone with physical access to the device.
Authentication and phone unlocking can be a difficult subject because IT managers have to balance enterprise security requirements and ease of use with user bad habits. By skipping PINs and unlock patterns entirely, they can move to biometrics and gain a more convenient and, in many ways, more secure authentication system.
Learn how you can leverage biometrics within your organization.