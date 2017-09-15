from the I-saw-what-you-did-there dept.
As reported by Techtimes, When it comes to unlocking your Android phone, Patterns are out and Pins are back in.
The full study: Towards Baselines for Shoulder Surfing on Mobile Authentication (PDF) (open, DOI: 10.1145/3134600.3134609) (DX) was conducted by the Naval Academy and University of Maryland.
Security researchers at the U.S. Naval Academy, together with the University of Maryland Baltimore County, published a study showing how a casual onlooker can visually memorize a person's pattern then recreate it with ease. In the tests, they found that two out of three people were able to recreate six-point unlock patterns purely by looking at them from 5 or 6 feet away.
[...] Those same conditions were then replicated with a more traditional six-digit PIN code, which proved far more difficult, with only one out of 10 observers able to recreate the PIN code after peeking.
With multiple chances to view your pattern or pin, the ability of an observer to unlock your phone grows:
In the online tests, 64 percent were able to recreate the Android-style pattern after merely one viewing, but that shot up to 80 percent after a second viewing. PIN codes, meanwhile, rendered much lower vulnerability percentages: only 11 percent were able to identify a six-digit PIN after viewing it once, and 27 percent after viewing it twice.
Apple's new FaceID, previously covered Here on SN and explained more fully on Techcrunch's extensive article has its own problems and annoyances, as well as the fear of being grabbed by police, cuffed, and your phone being held in front of your face before you have time to hit 5 button presses it takes to shut off FaceID. The phone is too new for any independent tests to have been run using pictures or movies of your face.
(Score: 2) by FatPhil on Wednesday September 27, @12:40PM
lg(10)+(lg(3)*3+lg(4)*2+lg(5)*3+lg(6)+lg(8))/9*5
15.2
A 6-digit pin has approximately this amount:
? lg(10)*6
19.9
The issue is not that people can more easily recognise and remember the former, it's that they are fundamentally more simple things. (And people are better at recognising and remembering simpler things)
If they redid the test with 4-digit (13-bits) and 5-digit (16-bits) pins, that would be a more interesting comparison. I'd expect 5-digit pins to still dominate, but the 15.2 vs. 13.3 bits might not be so clear-cut as the 15.2 assumes that choices made in one transition are independent of choices made in the subsequent transition, which isn't necessarily true, and entropy can only be decrease in the presence of restricted options.
