When securing your home’s front door, you have several choices: knob/lever locks, deadbolts, keypads, and smart locks with Internet of Things (IoT) features. Each offers varying degrees of convenience, along with vulnerabilities criminals can exploit to get at what’s inside. You have similar choices to make when it comes to how you lock the “front door” of your smartphone.
Smartphone security is one of the topics we recently explored in our 2018 User Risk Report. When we surveyed 6,000 working adults across six countries — the US, UK, France, Germany, Italy, and Australia — more than 90% of respondents said they use a smartphone, and 39% of these use their devices for both personal and business activities. In the BYOD era, that means infosec teams should be keenly aware of how individuals’ poor cybersecurity behaviors can affect their organizations’ security posture.
Source: Wombat Security, 2018 User Risk Report.
Four-Digit PIN (28% of respondents)
A four-digit PIN is better than nothing, and with 10,000 possible combinations, a good one could help shield devices from casual prying eyes. But the number must be difficult to guess. Using a birthdate or the last four digits of a government ID number as a PIN might be easy to remember, but a social engineer could guess these numbers by gleaning information from social media accounts, public records, or personal data already exposed on the dark web.
Unfortunately, as with the most common passwords, people tend to choose highly predictable PIN numbers, such as “1234” and “1111.” Several years ago, research by Data Genetics found that, in a sample of 3.4 million four-digit PINs, nearly 27% used the same 20 simple combinations.
Complex Swipe Pattern (10% of respondents)
Using your finger to trace a specific pattern across a grid offers an alternative to a PIN, and it’s a relatively quick way to unlock a device. One risk is that frequent use can leave a visible oily smudge on the screen that could be used to infer the swipe pattern. Another risk — shared with some of the other security methods discussed here — is the possibility of shoulder surfing, in which a sharp-eyed attacker observes you entering your swipe pattern.
What’s more, an attacker doesn’t even need to see your screen to crack the lock. In 2017, researchers showed how they could use a smartphone to video finger movements from up to 8 feet away, and then reconstruct the swipe pattern with an algorithm. This approach, they claim, can break more than 95% of patterns within five attempts.
In addition to locking devices, “people tend to use complex patterns for important financial transactions such as online banking and shopping because they believe it is a secure system,” said the principal investigator, Lancaster University’s Dr. Zheng Wang, speaking with The Independent. “However, our findings suggest that using Pattern Lock to protect sensitive information could actually be very risky.”
Six-Digit PIN (8% of respondents)
While it carries some of the same risks as the four-digit variety — don’t use “000000,” for example, and watch out for shoulder surfing — a randomly generated six-digit PIN offers considerable protection. Some security professionals recommend this method as the strongest option, especially when combined with other authentication tools, such as a fingerprint scanner.
One drawback is that a good six-digit PIN can be hard to memorize and cumbersome to enter; it’s far less convenient than just scanning your thumbprint. And, as already discussed, people tend to be bad at choosing effective passwords and PINs. “If you’re careful and clever about it, your PIN code only exists in your head, and that’s a very hard place for a hacker to get into,” writes Nield. But with billions of smartphone users around the world, how many are really going to be “careful and clever” about choosing a PIN?
Alphanumeric Password (7% of respondents)
An alphanumeric password is probably harder to break than a six-digit PIN, but you have to create a strong password — which can mean going against conventional wisdom — and apply other best practices, such as not reusing passwords across accounts.
One disadvantage is the inconvenience — which may explain why this was the least popular method among our survey respondents. A complex password that’s only mildly annoying to enter on a full-size computer keyboard can be maddening on a small touchscreen.
Depending on your operating system and skill with gesture shortcuts, you may need to constantly switch back and forth between three separate, tiny keyboards (letters, numbers, and symbols). Entering this password over and over throughout the day might be more effort than you bargained for. And that’s not even counting the number of times you hit the wrong character and have to start all over again.
Authentication Is Just Part of the Solution
Several additional smartphone authentication tools have been developed, and we’ll likely see more in the future. One commonality among many of the security locks we’ve covered here is that their effectiveness depends on end users who understand strong password creation and mobile device security, and who consistently employ best practices. That’s why security awareness training plays such a crucial role in helping smartphone users protect their own information as well as their employers’ sensitive data. After all, a six-digit PIN doesn’t offer much security if you’re using “000000.”
Subscribe to the Proofpoint Blog