From PINs to Prints: Smartphone Locks and Mobile Device Security

When securing your home’s front door, you have several choices: knob/lever locks, deadbolts, keypads, and smart locks with Internet of Things (IoT) features. Each offers varying degrees of convenience, along with vulnerabilities criminals can exploit to get at what’s inside. You have similar choices to make when it comes to how you lock the “front door” of your smartphone.

Smartphone security is one of the topics we recently explored in our 2018 User Risk Report. When we surveyed 6,000 working adults across six countries — the US, UK, France, Germany, Italy, and Australia — more than 90% of respondents said they use a smartphone, and 39% of these use their devices for both personal and business activities. In the BYOD era, that means infosec teams should be keenly aware of how individuals’ poor cybersecurity behaviors can affect their organizations’ security posture.

Our report found that users secure their smartphones in a variety of ways, as shown in the following chart:

Source: Wombat Security, 2018 User Risk Report.

Yes, Really: 14% of Users Don’t Lock Their Smartphones

Let’s get this unpleasant truth out of the way: 14% of our survey respondents said they do not use any security lock on their smartphones. Among the general public, that number may be much higher, as suggested by some earlier studies. Aside from convenience — or sheer ignorance — it’s hard to justify an unlocked phone. We did find that fewer users in France (8%) and Germany (11%) left their phones unlocked, although they were also much more likely to rely on a simple four-digit PIN (more on that later).

Weighing the Options

So, what’s the most secure way to lock your smartphone? The answer is probably “it depends.” As Kanye West famously demonstrated, a theoretically secure six-digit PIN doesn’t mean much when the number is “000000” — and you enter it in front of global news cameras.

Making smart authentication choices doesn’t happen in a vacuum — it takes place within a broader context of good mobile device security behaviors. The prevalence of weak smartphone security habits points to the need for security awareness training that teaches users how to create strong PINs, passwords, and passphrases.

With that said, here’s a quick look at the most common smartphone locks identified in our User Risk Report, along with some of their pros and cons:

Fingerprint or Other Biometric Scanner (38% of respondents)

Identified as the most popular locking method among our survey respondents, biometric scanners aim to balance security and convenience. They allow near-frictionless authentication by quickly recognizing the user’s unique fingerprint, iris, face, or other physical characteristics. While “biometric IDs seem to be about as close to a perfect identification system as you can get,” as Motherboard’s Daniel Oberhaus writes, security researchers have been quick to demonstrate their vulnerabilities.

Biometric IDs can be spoofed in a variety of ways. Recently, researchers designed a machine learning algorithm to generate fake, “master” fingerprints that target the type of fingerprint sensors commonly found in smartphones.

While not foolproof, biometric ID technology continues to evolve. But it’s worth considering that, while you can easily change a password in the event of a data breach, changing your fingerprint — or face — is another matter. The biometric data smartphones use is “usually safely stored on your device and your device alone, but if your biometric details have made it to a database somewhere, that’s another avenue for hackers to exploit,” as David Nield observed in an article for Gizmodo.

For additional insights and full country-by-country breakdowns, download your copy of the report.

Four-Digit PIN (28% of respondents)

A four-digit PIN is better than nothing, and with 10,000 possible combinations, a good one could help shield devices from casual prying eyes. But the number must be difficult to guess. Using a birthdate or the last four digits of a government ID number as a PIN might be easy to remember, but a social engineer could guess these numbers by gleaning information from social media accounts, public records, or personal data already exposed on the dark web.

Unfortunately, as with the most common passwords, people tend to choose highly predictable PIN numbers, such as “1234” and “1111.” Several years ago, research by Data Genetics found that, in a sample of 3.4 million four-digit PINs, nearly 27% used the same 20 simple combinations.

Complex Swipe Pattern (10% of respondents)

Using your finger to trace a specific pattern across a grid offers an alternative to a PIN, and it’s a relatively quick way to unlock a device. One risk is that frequent use can leave a visible oily smudge on the screen that could be used to infer the swipe pattern. Another risk — shared with some of the other security methods discussed here — is the possibility of shoulder surfing, in which a sharp-eyed attacker observes you entering your swipe pattern.

What’s more, an attacker doesn’t even need to see your screen to crack the lock. In 2017, researchers showed how they could use a smartphone to video finger movements from up to 8 feet away, and then reconstruct the swipe pattern with an algorithm. This approach, they claim, can break more than 95% of patterns within five attempts.

In addition to locking devices, “people tend to use complex patterns for important financial transactions such as online banking and shopping because they believe it is a secure system,” said the principal investigator, Lancaster University’s Dr. Zheng Wang, speaking with The Independent. “However, our findings suggest that using Pattern Lock to protect sensitive information could actually be very risky.”

Six-Digit PIN (8% of respondents)

While it carries some of the same risks as the four-digit variety — don’t use “000000,” for example, and watch out for shoulder surfing — a randomly generated six-digit PIN offers considerable protection. Some security professionals recommend this method as the strongest option, especially when combined with other authentication tools, such as a fingerprint scanner.

One drawback is that a good six-digit PIN can be hard to memorize and cumbersome to enter; it’s far less convenient than just scanning your thumbprint. And, as already discussed, people tend to be bad at choosing effective passwords and PINs. “If you’re careful and clever about it, your PIN code only exists in your head, and that’s a very hard place for a hacker to get into,” writes Nield. But with billions of smartphone users around the world, how many are really going to be “careful and clever” about choosing a PIN?

Alphanumeric Password (7% of respondents)

An alphanumeric password is probably harder to break than a six-digit PIN, but you have to create a strong password — which can mean going against conventional wisdom — and apply other best practices, such as not reusing passwords across accounts.

One disadvantage is the inconvenience — which may explain why this was the least popular method among our survey respondents. A complex password that’s only mildly annoying to enter on a full-size computer keyboard can be maddening on a small touchscreen.

Depending on your operating system and skill with gesture shortcuts, you may need to constantly switch back and forth between three separate, tiny keyboards (letters, numbers, and symbols). Entering this password over and over throughout the day might be more effort than you bargained for. And that’s not even counting the number of times you hit the wrong character and have to start all over again.

Authentication Is Just Part of the Solution

Several additional smartphone authentication tools have been developed, and we’ll likely see more in the future. One commonality among many of the security locks we’ve covered here is that their effectiveness depends on end users who understand strong password creation and mobile device security, and who consistently employ best practices. That’s why security awareness training plays such a crucial role in helping smartphone users protect their own information as well as their employers’ sensitive data. After all, a six-digit PIN doesn’t offer much security if you’re using “000000.”