Android unlock patterns are among the most common authentication mechanisms on mobile devices. They are fast and easy to use but also lack security as user-chosen gestures are easy to guess and easy to observe. To improve the traditional pattern approach, we propose Stop2Unlock, a usable but more secure modification of the traditional pattern lock. Stop2Unlock allows users to define nodes where they stop for a limited amount of time before swiping to the next node. We performed a lab study (n=40) and a field study (n=14) to show that this small change in user interaction can have a significant impact on security with a minimal impact on usability. That is, user-selected Stop2Unlock patterns are significantly harder to guess while being comparable in terms of usability. Additional analysis showed that users perceived the stop component as a rhythmic and memorable cue which supported the selection of higher entropy patterns.
Workshop on Usable Security and Privacy (USEC) 2019