Extended- Force vs Nudge : Comparing Users' Pattern Choices on SysPal and TinPal

TL;DR

This study compares two interface modifications, SysPal and TinPal, designed to improve the security of Android's pattern lock by influencing user choices, demonstrating that TinPal produces more complex and guess-resistant patterns without sacrificing memorability.

Contribution

It provides a comparative analysis of SysPal and TinPal interfaces, showing TinPal's effectiveness in generating more secure patterns without usability loss.

Findings

TinPal patterns are longer and more complex.

TinPal enhances guessability resistance.

No significant difference in memorability across interfaces.

Abstract

Android's 3X3 graphical pattern lock scheme is one of the widely used authentication method on smartphone devices. However, users choose 3X3 patterns from a small subspace of all possible 389,112 patterns. The two recently proposed interfaces, SysPal by Cho et al. and TinPal by the authors, demonstrate that it is possible to influence users 3X3 pattern choices by making small modifications in the existing interface. While SysPal forces users to include one, two or three system-assigned random dots in their pattern, TinPal employs a highlighting mechanism to inform users about the set of reachable dots from the current selected dot. Both interfaces improved the security of 3X3 patterns without affecting usability, but no comparison between SysPal and TinPal was presented. To address this gap, we conduct a new user study with 147 participants and collect patterns on three SysPal interfaces, 1-dot, 2-dot and 3-dot. We also consider original and TinPal patterns collected in our previous user study involving 99 participants. We compare patterns created on five different interfaces, original, TinPal, 1-dot, 2-dot and 3-dot using a range of security and usability metrics including pattern length, stroke length, guessability, recall time and login attempts. Our study results show that participants in the TinPal group created significantly longer and complex patterns than participants in the other four groups. Consequently, the guessing resistance of TinPal patterns was the highest among all groups. Further, we did not find any significant difference in memorability of patterns created in the TinPal group and the other groups.