Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder sur ng, a form of an observation a ack. While the research community has investigated solutions to minimize or prevent the threat of shoulder sur ng, our understanding of how the a ack performs on current systems is less well studied. In this paper, we describe a large online experiment (n = 1173) that works towards establishing a baseline of shoulder sur ng vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4-and 6-length PINs and Android unlock pa erns on di erent phones from di erent angles, we asked participants to act as a ackers, trying to determine the authentication input based on the observation. We nd that 6-digit PINs are the most elusive a acking surface where a single observation leads to just 10.8% successful a acks (26.5% with multiple observations). As a comparison, 6-length Android pa erns, with one observation, were found to have an a ack rate of 64.2% (79.9% with multiple observations). Removing feedback lines for pa erns improves security to 35.3% (52.1% with multiple observations). is evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder sur ng vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.
CCS CONCEPTS•Security and privacy → Graphical / visual passwords; Social aspects of security and privacy;