TinyLock: Affordable defense against smudge attacks on smartphone pattern lock systems

A pattern lock system is a widely used graphical password mechanism in today's mobile computing environment. To unlock a smartphone, a user draws a memorized graphical pattern with a finger on a flat touchscreen whereas the finger actually leaves its oily residues, also called smudges, on the surface of the touchscreen. The smudges can be exploited by adversaries to reproduce the secret pattern. Unfortunately, however, security is still dependent on a user's behavior that is to carefully remove them after use. In this paper, we study an affordable defense to resist the smudge attacks without losing the ease-of-use property of the pattern lock system and without demanding user's attentional behavior after use. We present TinyLock as our main result. TinyLock is a simple tweak of the user interface under the existing pattern lock paradigm but it can effectively resist the smudge attacks. Furthermore, TinyLock can be more resilient to shoulder-surfing attacks than the contemporary pattern lock systems. Our user study shows that TinyLock can significantly improve security of the pattern lock system while incurring minimal cost increase in terms of unlocking time.