What's safer? Using a numeric PIN code to unlock your Android smartphone or relying on a finger squiggle?

Newly-released research suggests that, at least when someone close by could be looking over your shoulder, you might be safer with an old-fashioned PIN.

The research, presented in a paper entitled "Towards Baselines for Shoulder Surfing on Mobile Authentication" by the United States Naval Academy and the University of Maryland, tested what could best secure smartphones from so-called "shoulder surfing attacks".

So, if you're worried about someone peeking over your shoulder while you unlock your phone, would you be wiser to use a PIN or a pattern?

According to this research at least, the answer to that question is pretty clear.

Lurkers who have a single observation of your screen as you unlock it with a swipe pattern will be successful in determining your security squiggle 64.2% of the time (rising to an alarming 79.9% with multiple observations). Security can be improved somewhat by removing feedback lines on the pattern lock (35.3% success rate for shoulder surfers, rising to 52.1% with multiple observations).

By comparison, use of a six digit PIN dramatically reduces the chances for an attacker to determine how to unlock your Android smartphone, with just 10.8% successful attacks (rising to 26.5% with multiple observations).

In tests, viewers were able to determine the Android users' lock screen patterns from up to six feet away, from a variety of different angles, even after a single viewing.

unlock pattern

Indeed, past research has determined that the "randomness" of a unlock pattern is about the same as a three-digit PIN - something I hope that none of us would rely upon.

The researchers' conclusion is that PIN of six digits or more is the most secure defence against shoulder surfing attacks, and while both types of pattern lock are poor, patterns without lines provide greater security. The length of the input also has an impact; longer authentication is more secure to shoulder surfing. Additionally, if the attacker has multiple-views of the authentication, the attŠacker’s performance is greatly improved.

Unsurprisingly, the research confirmed that phones with larger screens were found to provide less security against shoulder-surfing attacks, and longer authentication (lengthier swipe patterns or longer PIN codes) make life harder for criminals.

Of course, that doesn't mean that *any* PIN code should be considered secure, or that all swipe patterns are as safe as each other. Past studies have revealed the most common PIN numbers, and it's clear that a six digit PIN like "123456" is going to be easier for an attacker to crack than a truly randomly-generated code.

Just as hackers have built databases of the most common passwords used to secure accounts, they have also learnt the most common PIN codes and swipe patterns use to protect their phones.

It's worth bearing in mind that if you're really worried about someone close by looking over your shoulder to snoop on your PIN code or lock screen pattern maybe you would be better off protecting your mobile device with a biometric (such as your fingerprint) instead. Biometrics are not impossible to bypass, but in many cases they will be more than enough to defeat anything less than a sophisticated attacker.