Double Patterns: A Usable Solution to Increase the Security of Android Unlock Patterns

Android unlock patterns remain quite common. Our study, as well as others, finds that roughly 25\% of respondents use a pattern when unlocking their phone. Despite known security issues, the design of the pattern interface remains unchanged since first launch. We propose Double Patterns, a natural and easily adoptable advancement on Android unlock patterns that maintains the core design features, but instead of selecting a single pattern, a user selects two, concurrent Android unlock patterns entered one-after-the-other super-imposed on the same 3x3 grid. We evaluated Double Patterns for both security and usability by conducting an online study with $n=634$ participants in three treatments: a control treatment, a first pattern entry blocklist, and a blocklist for both patterns. We find that in all settings, user chosen Double Patterns are more secure than traditional patterns based on standard guessability metrics, more similar to that of 4-/6-digit PINs, and even more difficult to guess for a simulated attacker. Users express positive sentiments in qualitative feedback, particularly those who currently (or previously) used Android unlock patterns, and overall, participants found the Double Pattern interface quite usable, with high recall retention and comparable entry times to traditional patterns. In particular, current Android pattern users, the target population for Double Patterns, reported SUS scores in the 80th percentile and high perceptions of security and usability in responses to open- and closed-questions. Based on these findings, we would recommend adding Double Patterns as an advancement to Android patterns, much like allowing for added PIN length.