Newsportal - Ruhr-Universität Bochum
How secure are Knock Codes for smartphone lock screens
The Knock Codes for lock screens introduced by LG for smartphones are less secure than four-digit PINs and Android unlock patterns. This is the conclusion reached by researchers from the New Jersey Institute of Technology, the Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum, and The George Washington University. They will present their findings at the 16th Symposium on Usable Privacy and Security that will be held as a virtual conference between 9 and 11 August 2020.
„Our analysis contradicts LG’s advertisement which promises ‘perfect security’ of Knock Codes“, says Philipp Markert from the Bochum Research Group Mobile Security at HGI. For the study, he collaborated with Raina Samuel and Professor Iulian Neamtiu from the New Jersey Institute of Technology and Professor Adam Aviv from The George Washington University.
When a user unlocks the mobile phone using a Knock Code, two times two fields are displayed, which must be tapped in a certain sequence. The sequence must have a length of between six and ten taps. According to estimates, between 700,000 and 2.5 million people in the USA are currently using this technology. The research team analysed how easily an attacker who has gained access to another person’s smartphone could guess a tapping pattern.
Algorithm guesses codes
In an online study, 351 participants from the USA came up with a Knock Code. Afterwards, they answered a few questions, for example, about the perceived security of the code that they had to re-enter after about five minutes.
In the next step, the IT security researchers analysed how quickly a computer algorithm could guess the assigned Knock Codes. They’d trained the algorithm using Knock Codes collected in a preliminary study. Based on the training data, the algorithm learned the users’ Knock Code preferences and later tried out particularly popular elements first when guessing the codes.
“65 per cent of users started tapping their code in the top left-hand corner, and a large percentage of them chose the field in the top right-hand corner next,” explains Markert. “I’m sure this is because of the reading habits in the Western world.” Based on such user preferences, the algorithm needed fewer attempts to guess the six to ten-digit Knock Codes in the online study than it did for commonly used four-digit PINs or Android unlock patterns.
Paradoxically, users set shorter Knock Codes on average when they had more fields at their disposal.
The researchers also tested whether they could improve the security of the codes by providing users with two times three fields instead of two times two fields for the Knock Code. This way, the number of possible Knock Codes increased from about 1.3 million to more than 72 million sequences. “But that didn’t help, either,” points out Philipp Markert. “Paradoxically, users even set shorter Knock Codes on average when they had more fields at their disposal.”
Blocklist boosts security
However, the team found that a blocklist made the code more secure. The list contained the 30 most popular Knock Codes identified in a preliminary study. Users who set one of the blocked codes were prompted to choose some other code. As a result, the participants generated patterns that were actually harder to guess.
The three most popular Knock Codes were as follows:
Knock Codes difficult to memorise
The study also showed that Knock Codes are difficult to memorise: approximately one in ten participants had forgotten the code by the end of the study, even though it only lasted five minutes. In a related study on PINs, the rate was less than one percent.
“We also collected some statements from users who said that while Knock Codes are easy to set up, they are difficult to memorise,” says Philipp Markert. In addition, entering such a code to unlock the display took seven seconds on average, whereas entering a PIN typically takes four and a half seconds and an Android unlock pattern three seconds.
Raina Samuel, Philipp Markert, Adam J. Aviv, Iulian Neamtiu: Knock, Knock. Who’s There? On the Security of LG’s Knock Codes, Symposium on Usable Privacy and Security (SOUPS), 2020, Online preprint
14 July 2020