Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters

Maximilian Golla, Jan Rimkus, Adam J. Aviv, Markus Dürmuth

Workshop on Usable Security and Privacy (USEC '19). San Diego, California, February 24, 2019


A common method for helping users select stronger authentication secrets, e.g., passwords, is to deploy a visual strength meter that provides feedback to the user while performing password selection. Recent work considered the accuracy of strength meters for passwords, but there is limited work on understanding the accuracy of strength meters for other knowledge-based authentication types, particularly Android's graphical pattern unlock, despite there being multiple strength meters proposed for patterns in the literature. In this work, we present a preliminary analysis of the accuracy of strength meters for Android patterns, applying the same set of techniques from previous work. Using datasets of patterns collected in several user studies as a baseline, we compare strength meter estimations using weighted Spearman correlation. Overall, we find that strength estimations based on visual properties of the patterns (such as length, intersections, overlapping nodes, and similar) provide strength estimations that have low correlation with the real guessability of Android patterns. Motivated by these findings, we describe a set of research questions and experiments that are in progress that question whether the accuracy of a meter should even be the driving factor for nudging users to more secure choices.

[News] [GitHub] [PDF] [Slides]

tags: accuracy, Android unlock pattern, non-enforcing blacklist, strength meter, Usability