Android pattern lock is still popularly used for mobile user authentication. Unfortunately, however, many concerns have been raised regarding its security and usability. User-created patterns tend to be simply structured or reduced to a small set. Complex patterns are hard to memorize. Input patterns are susceptible to various attacks, such as guessing attacks, smudge attacks, and shoulder surfing attacks. This paper presents a novel mechanism based on the pattern lock, in which behavioral biometrics are employed to address these problems. Our basic idea starts from turning the lock pattern into public knowledge rather than a secret and leveraging touch dynamics. Users do not need to create their own lock patterns or memorize them. Instead, our system shows a public pattern along with guidance on how to draw it. All the user needs to do for authentication is to draw the pattern as shown. For adversaries, the above-mentioned attacks are rendered useless by this new mechanism. Specifically, we study how to generate the public patterns and how to perform authentication. We considered segments, angles, directions, and turns as units for constructing the lock patterns, and established the public pattern criteria. The results are utilized to generate four public patterns in our experiment. For authentication, we achieved equal error rates (EERs) as low as 2.66% (sitting), 3.53% (walking), and 5.83% (combined). Furthermore, the results of our additional experiments demonstrated that our system preserved performance over time (F1-score = 89.88%, SD = 4.60%), and was sufficiently secure against camera-based recording attacks (FAR = 3.25%).INDEX TERMS Behavioral authentication, android pattern lock, smartphone, machine learning.
I. INTRODUCTIONSmartphones have now become a part of our daily lives, and their functionality has significantly increased; hence, mobile user authentication has now turned into an essential mechanism for the security and privacy of users. Currently, various authentication methods such as PIN, passwords, biometrics, and pattern lock, are used among smartphone users, and each scheme has advantages and disadvantages [10], [26].Android pattern lock, which is still widely used for mobile user authentication, dates back to the earlier recall-based systems such as Draw-A-Secret (DAS) [22] and Pass-Go [40]. Users are asked to create and memorize a graphical pattern on a 3 × 3 grid. For authentication, they should remember the pattern, and then draw it with a finger on the grid.The associate editor coordinating the review of this manuscript and approving it for publication was Xiaofan He.
