Draw It As Shown: Behavioral Pattern Lock for Mobile User Authentication

Android pattern lock is still popularly used for mobile user authentication. Unfortunately, however, many concerns have been raised regarding its security and usability. User-created patterns tend to be simply structured or reduced to a small set. Complex patterns are hard to memorize. Input patterns are susceptible to various attacks, such as guessing attacks, smudge attacks, and shoulder surfing attacks. This paper presents a novel mechanism based on the pattern lock, in which behavioral biometrics are employed to address these problems. Our basic idea starts from turning the lock pattern into public knowledge rather than a secret and leveraging touch dynamics. Users do not need to create their own lock patterns or memorize them. Instead, our system shows a public pattern along with guidance on how to draw it. All the user needs to do for authentication is to draw the pattern as shown. For adversaries, the above-mentioned attacks are rendered useless by this new mechanism. Specifically, we study how to generate the public patterns and how to perform authentication. We considered segments, angles, directions, and turns as units for constructing the lock patterns, and established the public pattern criteria. The results are utilized to generate four public patterns in our experiment. For authentication, we achieved equal error rates (EERs) as low as 2.66% (sitting), 3.53% (walking), and 5.83% (combined). Furthermore, the results of our additional experiments demonstrated that our system preserved performance over time (F1-score = 89.88%, SD = 4.60%), and was sufficiently secure against camera-based recording attacks (FAR = 3.25%).