Fortifying Android Patterns using Persuasive Security Framework

Android Pattern, form of graphical passwords used on Android smartphones, is widely adopted by users. In theory, Android Pattern is more secure than a 5-digit PIN scheme. Users’ graphical passwords, however, are known to be very skewed. They often include predictable shapes (e.g., Z and N), biases in selection of starting point, and predictable sequences of the points that make them easy to guess. In practice, this decreases the security of Android Pattern to that of a 3-digit PIN scheme for at least half of the users. In this paper, we effectively increase the strength of Android Patterns by using a persuasive security framework, a set of principles to get users to behave more securely. Using these principles, we have designed two user interfaces that persuade users to choose stronger patterns. One of the user interfaces is called BLINK, where the starting point of the pattern is suggested to user, effectively nudging her to create a pattern with a significantly less predictable starting point. The other user interface is called EPSM, where the system gives continuous feedback to user while she is creating a new pattern, effectively persuading her to create a complex pattern. Security and usability of our proposed designs evaluated by conducting a user study on 270 participants recruited from Amazon MTurk demonstrated that while only 49% of subjects choose strong patterns in Android Pattern user interface, our suggested designs increase it to 60% in BLINK and 77% in EPSM version. Keywords–Android; nudging; persuasive security; blinking.