Innovative Spiral Lock Design for Smartphone Security

Innovative Spiral Lock Design for Smartphone Security Jacqueline Bermudez, Alaa Abdulaal, Liwen Xu, Benson Quach University of Toronto Department of Computer Science {jbermudez, alaa84, xuliwenx, benson}@cs.toronto.edu ABSTRACT We introduce a new locking concept to improve setbacks of two locks Pattern and PIN to determine a lead towards a more convenient and secure unlocking gesture. We hypothesize our design will outperform the Pattern lock in both efficiency and failed unlockings; and believe the Pattern and our design will underperform in comparison to the PIN lock. In our study with twenty-seven participants our design performed better in comparison to the average speed of the Pattern and PIN lock, and though under suspicion of sample size the Pattern performed better than the PIN. In terms of errors, there were no significant differences between Pattern and our design, but as suspected the PIN lock performed better than both in this regard. Unfortunately, under our qualitative feedback we received that our design is the least comfortable amongst the three locks, but is of preference similar to the Pattern. Author Keywords Smartphone; Mobile; Unlocking Gesture; Layout; Pattern lock; PIN lock; Spiral lock; Mobile Security ACM Classification Keywords H.5.m. Information interfaces and presentation (e.g., HCI): Miscellaneous. INTRODUCTION In the current state of today we can find a variety of processes of how to authenticate an identity of a user for accessing a mobile device. A few lock applications commonly used for touchscreen mobile devices are pattern, text, PINs, and image-based passwords. Each application has its advantages and disadvantages, whether it d be in time, security or complexity. According to Gartner, by the end of 2013, there will be 1.3 billion smartphones in active use worldwide [1]. Falaki et al. [2] have shown that users interact with their phones on average 10-200 times a day. Taking into account the previous two points, it suggests that, worldwide, at least 13 billion unlock gestures are performed on a daily basis. If we take a step back to visualize the impact in time that unlocking gestures have upon our lives we can agree that there is a clear concern on achieving the optimal efficiency of such a gesture. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee CHI 2014, December 7 14, 2014, A recent study by Lookout Mobile Security [3] found that 58% of adult smartphone users do not go an hour without checking their phone and Oulasvirta et al. [4] showed that 18-35% of the time, users interact with their phone only briefly out of their habit of checking for dynamic content. Furthermore, as mentioned above at least 13 billion unlocking gestures are performed on a daily basis. With this being said, the significance and daily impact of the smartphone unlock screen is a prevalent topic that should be researched deeply. We now dive into the literature of the two most commonly used and state of the art unlocking gestures for smartphones; the Pattern and PIN lock, with the intention of analyzing the theoretical and contextual issues that constrain and influence our study. RELATED WORK One literature reviewed presented comparisons between the Pattern and PIN lock, more specifically one research showed that the PIN lock outperforms the Pattern lock when comparing unlocking speed and error rate. However, the qualitative results suggested that users tend to accept this mishap and are still in favor of the Pattern lock to a certain extent. For instance, it was found to be rated better in terms of ease-of-use, feedback and likeability. Most interestingly, even though the pattern lock does not provide any undo or cancel functionality, it was rated significantly better than PIN in terms of error recovery; this provides insight into the relationship between error prevention and error recovery in user authentication [5]. This point addresses strongly that Pattern is more preferred and liked than the PIN lock. In a study by Clarke et al. [6], 41% of their respondents expressed concerns with respect to PINs and alphanumeric passwords, supporting the need for alternative authentication techniques and thus, shape-based authentication better supports the way the brain remembers and stores information. The shape can be remembered as an image, hence exploiting the pictorial superiority effect [7, 8]. Additionally, since the pattern is drawn manually in exactly the same way every time and repeated regularly within the Pattern lock, the user s motor memory [9, 10] further improves the memorability. This effect was shown to be effective [11, 12], even when the shapes are performed by the user s gaze [13]. This point encourages and supports our choice of modelling our lock after the form of the Pattern lock. Now the next question that immediately falls into mind is security. This pattern based approach has major drawbacks, drawn passwords are very easy to spy on [12, 13], which makes shoulder surfing, a

common and obvious attack in public settings [14], a clear and obviously serious threat. Other attacks include the infamous smudge attack [15], in which finger traces left on the screen are used to extract the password. Due to its weak security properties, this authentication approach does not fully meet the requirement of adequately protecting the user s data stored on the device. In the present state of today, not only private but also valuable business information is stored on the user s handheld [16]. Hence, one of the biggest design concerns is the resistance to attacks when designing authentication systems for smartphone devices. These security points raised have been acknowledged within our lock design and we believe we have a potential solution for the matters mentioned. Conclusively, mobile interaction is a pervasive topic and has significant impact on a vast majority of individuals on a daily basis and as such we perform the research to come using our own design with the full intention of alleviating the common constraints mentioned above with the current state of the art unlocking gestures; Pattern and PIN. Our goal is to attempt to determine a more convenient unlocking gesture to significantly reduce the time impact of such actions. We performed empirical research on two common and state of the art lock screens, namely Pattern and PIN, along with our Spiral lock creation (as shown in Figure 1.), effectively contrasting these three candidates against each other. RESEARCH QUESTION AND HYPOTHESIS The lock we created is most similar to the Pattern lock, which was found to be the most preferred amongst the smartphone community found in one study mentioned. However, instead of the nine node grid offered by the Pattern lock we introduce and implement a new circle node layout as well as locking concept in hopes to both improve common security issues mentioned in recent publications as well as comfort, while exploring factors such as one-handed unlocking, likability, preference, comfort, speed, and failed unlockings of the three lock types. Except for the layout, another big difference between Pattern lock and Spiral lock is that the dots in Spiral lock can be reused in a cyclic fashion, so users can draw as many circles as they want. To be more explicit our independent variable is lock type, that is, Pattern, PIN, and Spiral lock types shown below: Figure 1. The Pattern lock (left), PIN lock (middle), and our creation Spiral lock (right) analyzed within this study Our dependent variables are unlocking speed and failed unlockings, specifically the speed in which the user is able to unlock their phone with the respective lock and the number of attempts/mistakes the user requires to unlock. These two variables are our quantitative study, while our qualitative study involve ableness of one-handed unlocking, likability of each respective lock, ultimate preference towards each type, and comfort of performing each unlocking procedure, achieved through a feedback questionnaire approach. The research question being addressed is, amongst the mentioned respective locks, which of them provided more efficiency to the user in terms of the mentioned dependent variables as well as providing a preferable experience overall. Although, this is a very generic stance, we believed that the Spiral lock would outperform the Pattern lock in both unlocking speed and failed unlockings, while in a similar study found between Pattern and PIN lock where the PIN outperformed the Pattern lock in both characteristics, it then suggests the Spiral lock would underperform in both characteristics in contrast to PIN and that is the stance we took, though when it comes to personal preference we expect the users would prefer the Pattern lock overall due to the users natural instinct of preferring to resist change. And, as for the PIN and Pattern lock, we expect the data of the Pattern lock to underperform in both speed and failed unlockings compared to the PIN lock. However, naturally we expect the user to prefer Pattern regardless of this result as mentioned in a previous study found. Please refer to the reference section for this study. METHODOLOGY Apparatus The equipment to be used in the present study include at least 3 touchscreen mobile phones, three types of mobile applications, 2 laptops, a code list sheet, a PowerPoint presentation which contained experiment instructions and lock combinations for all trials; and a questionnaire. The proposed touchscreen mobile device to test our experiment was, but not limited to, iphone 4 and iphone 4s, as long as they have the same display and model dimensions. This cellphone has the following specifications: 3.5-inch (diagonal) of display, 4.54 x 2.31 x 0.37 in of size, 0.37 inches of depth, and 4.9 ounces of weight. It runs either the ios7 or ios8, for which we developed our lock types in Object C, Xcode. The Pattern, PIN, Spiral lock were installed on the iphone 4 as applications. Participants were able to manipulate these applications through the phone's display where they inputted the corresponding unlock combination required for each lock using their fingers. In addition, within each application it contained a hidden stopwatch to record the time taken to unlock the application, this was used to record failed attempts as well.

The instruction sheet contained a bullet point list with very clear instructions of what steps participants needed to follow in the experiment. One laptop was connected to a monitor displaying on a PowerPoint presentation with lock combinations that was used in our experiment. They were shown twenty-seven different types of unlock combinations for each lock type, where the first of the twenty-seven was a test trial. The other laptop was used to display a questionnaire which was structured in three sections. One section asked personal information such as the participant code (provided by the experimenters), gender, and age. The second section contained main questions such as which lock did they find to be most preferred in terms of comfort, likability, and ease of one-handed unlocking. The third section was opened to the participant's opinion about our new lock pattern creation, the Spiral lock. These three sections encompass the qualitative portion of our study discussed in the later sections. The code list sheet, contained predefined code combination (i.e, P01, P02). It was used to assign a code to each participant to distinguish them during our experimental study. In terms of the combination space of the Spiral lock concept, users may increase the possibilities to as many nodes as they wish as long as it moves in a clockwise or counter-clockwise motion. For PIN lock, the combination space is 10^4 = 10,000. For Pattern lock, the length of Pattern lock is from 4 to 9. Its combination space is 389,112. Suppose there are 8 dots in our Spiral lock, there are 8*2^(N-1) possible combinations for passwords of length N, because from each dot, users can move either clockwise or counter-clockwise. Therefore, for Spiral lock, if the length of password length is from 4 to 10, the combination space is 8,128. If the password length is from 4 to 11, the combination space is 16,320, which is already safer than PIN lock. Because our design is unbounded, in theory, the combination space of Spiral lock is unlimited. In the application used in our experiment, we defined the range of password length is from 4 to 24, so the combination space in this case is 134,217,664. In this way, we can see Spiral lock as a potentially secure touch screen lock gesture. Of course there exists a tradeoff between the length of the combination they choose and the efficiency of unlocking with that combination. In other words, our design is unbounded in the combination space, but naturally holds a tradeoff proportionally in time and size of chosen combination. Participants We ve recruited twenty-seven participants to take part in our study for a limited Latin Square. Participants are at least twenty years old, they have at least a high school level education, and are either female or male. Also, all participants were familiar at least with the Pattern & PIN locks. Here, 'familiar' describes those participants that have experienced at least one time the Pattern & PIN locks on smartphones (note that they could be current users of either lock type), and 'familiar' does not apply to those whom have only heard or seen how to use it. In order to recruit volunteering participants posters were placed outside of our experiment room and as well as others around the Bahen building, located at University of Toronto St. George, indicating our experiment room location. The posters were brief and conveyed what the experiment consisted of and what we expected from the participants. Also, one person was assigned to be in charge to recruit, interview, and book for those that would like to participate. The main filtering questions that were inquired before signing up for the experiment was the following. Are you at least 20 years old? (The answer should be yes) Are you 'familiar' with the Pattern & PIN locks? (Yes, they should at least have experienced the Pattern & PIN locks one time) Do you have at least one hour free to participate in this experiment? (Yes they should have, otherwise, they won t be able to complete their role in the experiment) If the participants meet the above preliminary requirement, then they were able to participate in our experiment. In addition, the recruiter informed the participants of what the experiments consist of and that all experienced experimental procedure should be confidential. Finally, before participants enter the room they should have been assigned a code (i.e. P01) beforehand and once inside the room the participant is automatically considered under examination. All participants were volunteers and were not monetarily compensated. No special needs or requirements were necessary for the selected twenty-seven participants. Experimental Design We constructed a three level design, our independent variables were lock type, that is, Pattern, PIN, and Spiral, in hopes that the lock type would elicit a change in human response, while our dependent variables were unlocking speed and failed unlockings, specifically the speed in which the user is able to unlock their phone in a successful attempt provided a lock combination for the respective lock and the number of attempts/mistakes the user requires to produce a successful attempt. The two mentioned dependent variables consist of our quantitative study, while our qualitative study involved a feedback questionnaire consisting of ableness of onehanded unlocking, likability of each respective lock, ultimate preference towards each type, and comfort of performing each unlocking procedure. The design we have chosen is within participants since naturally we were asking for their subjective opinions amongst all lock types in the qualitative portion. We are also studying their efficiency and accuracy between the different lock types and thus we used a within group design. Random variables that may be at play involved prior experience to phone lock screens such as those who are

everyday users versus only familiar users and we have acknowledged this and accepted this variability. Our study requests participants who are at least familiar with the lock types - excluding our Spiral design. And naturally our control variable was phone model, where we select one phone model, that is, the one mentioned above and using only that model to test among all participants to achieve consistency and control of this study. Furthermore, to have counterbalancing we partitioned the twenty-seven participants into groups of nine where each group performed the study in the Latin Square ordering; PIN, Pattern, Spiral; Spiral, PIN, Pattern; and Pattern, Spiral, PIN. In regards to the basis of selection of the twenty-seven combinations for each respective lock, we chose to gradually increment the lock length of the Pattern and Spiral equally, while the PIN lock remained at a restricted length of four, for each trial. Also, for the lock combinations we tried to keep a steady and equal finger motion on the mobile screen. So if a PIN code is for example (7412) the Spiral and Pattern lock pattern will have the same motion (down to up then right). After a certain number of trials for the Pattern and Spiral we would switch up the directions and positioning of each combination to create equal variance. There exists an obvious limitation in the choice we ve made for the Pattern and Spiral lock trials in contrast with the PIN, but we ve acknowledged it and have found it to be negligible due to our results found. Tasks and Procedures The introduction portion began with a welcoming of the participant as they arrived who were then seated and presented with a consent form where they were asked if they wish to participate in this study and permit the use of the data gathered during this period. After the consent form was signed the participant began the study and were presented facing a monitor displaying the respective lock combination to unlock the respectively shown lock presented to them on the mobile phone mentioned. The instructions were presented before they began the study so that they may understand what is expected of them. The participant was asked to complete twenty-seven trials for each respective lock where the first trial was a test run to allow the user to gain familiarity with the environment. The test trial was not recorded in our study. However, the other trials was accounted for within our study and was respectively monitored for the dependent variables. Each trial had a unique lock combination that was generated randomly. We took into account the generated lock combination s number of swipe motions to complete the unlocking process, attempting to normalize throughout the three locks to the best of our abilities. The dependent variables (unlocking speed and failed unlockings) were recorded within the application we created, and was aggregated and analyzed afterwards. It was recorded through a start timer where the moment the user touches the screen of the mobile application it would start the timer and would respectively end the moment they unlock the phone. The failed unlockings was monitored through the number of unsuccessful attempts produced by the participant within a given trial. To complete one trial the participant must unlock the phone successfully without any errors. Only the time of a successful attempt without any errors was recorded. All participants were using the same pre-set randomly generated lock combination for each respective lock. The participant also had a brief break between each lock type. Finally, it is worth noting again that the test trial was not a part of the independent variable, as it is simply meant to get the participant a bit familiar with the respective lock presented. The debriefing involved a qualitative computer questionnaire asking for their subjective opinions, measuring comparisons between each lock type through their comfort, difficulties, likability, ultimate preference and so forth. Afterwards, the participant was thanked for their time and was escorted out of the study. Conclusively, this overall experimental research study falls under performance-based/skill-based tasks, and as such we monitored and focused more heavily on their performance in the dependent variables. Measures The quantitative and qualitative portion of our study collected data on the following variables. In regards to the speed of the unlocking process variable, it helped us determine which is the fastest between all lock types. We compared the average time that took each user to complete a successful unlock using each lock type. Only the time for successful attempts were included in the data collection. The PIN lock has correction and cancel capabilities within an attempt and we considered those attempts to be failed attempts if used. The reason is the pattern and spiral locks do not support the cancellation or correction of a started attempt, thus including the corrected PIN lock attempts time would corrupt our results. In regards to error rate of the unlocking process variable, it helped us evaluate the efficiency and ease of use of a lock type. We compared the number of the failed attempts with each respective lock against each other. Pattern and spiral locks don t have a cancellation or backspace option which means that any attempt is either successful or a failure, there are no intermediate correction. On the other hand, in regards to the PIN lock the user has failed attempt, successful attempt, or semi-successful attempt which includes using either cancel (to start over) or backspace to correct a wrong entry. So to balance the data collection among all lock types, any PIN attempt that uses cancel or backspace were considered a failed attempt. In regards to lock usability and likeability, it helped us determine which type of lock is more preferred and liked by

the user regardless of the result of the other two mentioned variables (unlocking speed & failed unlockings) within our data collection. We compared from a participant's perspective for each lock: ableness of one-handed unlocking, likability, preference, comfort, and personal opinions. Data Collection All data collections were computer-based and performed as follows. In regards to speed of the unlocking process variable, data collection of this variable was programmed in the lock system and was saved to a file for each type and each user trial (note once again that we only record for successful attempts). For the PIN lock the time started when the user presses the first key number and stops when the last key number is inputted For both the pattern and spiral locks, the time started immediately when the user touches the first node and stops when his finger is released from the screen In regards to error rate of the unlocking process variable, data collection of this variable was programmed in the lock system and was saved to a file for each lock type and each user trial. For the PIN lock entering a 4 digit correct passcode that uses a backspace or cancel button, as well as entering an incorrect 4 digit passcode was regarded as a failed attempt For the Pattern and Spiral locks, performing a wrong pattern was regarded as a failed attempt In regards to lock usability and likeability variable, the data collection of this variable was using an electronic questionnaire (survey monkey) filled by each participant after finishing all three lock type trials. The questionnaire contained selective feedback where the participant had to answer under a five-level Likert scale questions, along with comment feedback in regards to ableness of one-handed unlocking, likability, preference, comfort, and overall personal opinions. RESULTS The quantitative data was collected through saving log files on the mobile application for each lock type. In addition, the data was collected through an online questionnaire. For analyzing the quantitative measures we used a one-way, repeated measures, three level ANOVA test. The purpose behind using this type of test is because of the following reasons. The first reason, is because our study has one independent variable thus considered as one way. The second reason is that we have three dependent variables thus a three level. The third reason is because our study used the same participants for all three type of locks so it is considered as repeated measures. And finally, the fourth reason is because we needed a test that can identify significance in a three level study in a single test so we chose ANOVA. In addition when needed we used the Bonferroni correction method as a post-hoc test to counteract the problem of our three type comparison. For analyzing the qualitative measures we found the mean, which is the average rating, of the results obtained from each question of the questionnaire. The reason why we chose this method, is because it was a simple questionnaire using a five-level Likert scale questions, one ordinal scale, and one written feedback question. The purpose was just to determine which lock type was the most comfortable to use, along with one-handed unlocking and their preference ranking for each lock type. We have chosen to place the highest average rating (mean) at first place. Quantitative Results We compared the collected data of PIN, Pattern and Spiral lock types on several quantitative measures. In regards to unlocking speed, for each lock type we collected the speed (in seconds) of unlocking for each participant as shown in Figure 2. The average speed for unlocking using the PIN lock was 1.1793s and SD of 0.1666, the Pattern lock was 1.0627s and SD of 0.3146, the Spiral lock was 0.9137s and SD of 0.3077 as shown in Figure 2 & 3. Figure 2. The speed of unlocking each type of lock for each participant Figure 3. The mean +/- SD of number of unlockings using each type of lock We compared the collected data of unlocking speed of each lock type for each participant using a one-way, repeated

measures, three level ANOVA. The result revealed that the probability of changing the lock type have a significant effect on the unlocking speed, F(2,52) = 18.076, p < 0.05. The initial analysis does not show where exactly the differences occur, so a deeper analysis was made using the Bonferroni correction method. The result shows that all pairwise comparisons were statistically significant, p < 0.05. Participants unlocked the phone faster using the Spiral lock than using the PIN lock with a mean difference of 0.266s. Also, participants unlocked the phone faster using the Spiral lock in comparison to using the Pattern lock with a mean difference of 0.149s. On the other hand, with a mean difference of 0.117s the unlocking speed using Pattern lock outperformed the PIN lock. In regards to failed unlockings, for each lock type we collected the number of failed unlockings for each participant as shown in Figure 4. The average number of failed unlockings using the PIN lock was 1.22 and SD of 1.4500, the Pattern lock was 3.04 and SD of 2.8214, the Spiral lock was 3.00 and SD of 2.8011 as shown in Figure 4 & 5. Figure 4. Number of failed unlockings for each type of lock for each participant The result shows that all pairwise comparisons were statistically not significant except for PIN vs. Pattern and PIN vs. Spiral, p < 0.05. Participants failed in unlocking the phone more often when using the Spiral lock than using the PIN lock with a mean difference of 1.778. Also, participants failed in unlocking the phone more often when using the Pattern lock then using the PIN lock with a mean difference of 1.815. Unfortunately, using the failed unlockings data collected in our experiment, we cannot determine the relationship between the Pattern and Spiral lock Qualitative Results Each participant answered a questionnaire to give their feedback and opinions about the three lock types. The questionnaire had three questions where the participant was able to answer them using a five-level Likert scale. At the end, the questionnaire had also an open question where the participant was able to give us an additional written feedback about the three lock types. We attempted to analyze the collected data from the questionnaire using one-way, repeated measures, three level ANOVA. However, the results were not significant p>0.05 due to the given feedback by the participants were almost even between the three lock types. Therefore, we decided to analyze the qualitative data using the mean, which is the average between the given scores for each question. By using the mean, we can see the results differing slightly through the decimal points. The results obtained from the questionnaire, shows that the PIN lock and the Pattern lock are considered the most comfortable to use by the twenty-seven participants as shown in Figure 6. Figure 5. The mean +/- SD of number of failed unlockings using each type of lock We compared the collected data of the number of failed unlockings of each lock type for each participant using a one-way, repeated measures, three level ANOVA. The result revealed that the probability of changing the lock type have significant effect on the number of failed unlockings, F(2,52) = 6.932, p < 0.05. The initial analysis does not show where exactly the differences occur, so a deeper analysis was made using the Bonferroni correction method. Figure 6. User conformity evaluation when performing their unlocking action using the three different lock types. In figure 6, the PIN lock and the Pattern lock are considered the most comfortable lock type amongst the twenty-seven participants, while the Spiral lock is considered the least comfortable. The mean obtained for each lock type was the following: PIN lock (3.74), Pattern lock (3.74) and the Spiral lock (3.37).

Figure 7. Ease of a one-handed unlocking. Results in Figure 7 showed that participants consider that Spiral lock is easy to use under one-handed unlocking, presenting a mean of 3.81, followed by the PIN lock with 3.70, and the Pattern lock as the least preferred by the user with 3.63. Figure 8. Ranking score of the three lock types in order of preference. It was ranked 1 to 3, where 1 represents the most preferred. In Figure 8, results of the third question shows that the Pattern lock is ranked first place as the most preferred by the participants. However, the difference between the Spiral lock type and Pattern lock type is irrelevant, where the first has a mean of 2.04 and 2.00 respectively. In the third place is the PIN lock, as the least preferred from the participants. The last question presented was to give us additional feedback about the lock types that were used in the experiment. Overall, comments were positive for Spiral, participants consider it to be more natural and has more accessibility. Some participants comments indicated that they were more familiar with the PIN lock. No feedback was given for the Pattern lock. DISCUSSION In regards to Pattern lock vs. Spiral lock, from the result, the pairwise comparisons between the Spiral lock and the Pattern Lock were statistically significant and the mean of Spiral lock was lower than that of the Pattern lock. So we are able to draw the conclusion that the Spiral lock outperforms the Pattern lock in speed, which is our hypothesis. Since, the shape of the lock is a circle, the unlocking gesture is more natural and fluent than that of the Pattern lock. In addition, the distances between neighbor dots of Spiral lock are smaller than that of Pattern lock. All these reasons suggest why Spiral unlocking is faster than Pattern unlocking. Though in general the unlocking gestures affect the failed unlockings, the difference between Pattern and Spiral lock is not significant enough to draw a conclusion that Spiral lock has a better performance than Pattern lock in failed unlockings. Our hypothesis is that the Spiral lock would outperform the Pattern lock in both unlocking speed and failed unlockings. So our result is insufficient to support our hypothesis. Spiral lock is designed based on Pattern lock, so the unlocking gestures of them are similar. This is the main reason why the collected data of them are close. However, we cannot ignore that the failed unlockings of Spiral lock is smaller than Pattern lock, though Spiral lock is a completely new lock to all participants, while almost all participants are familiar with Pattern lock. So, Spiral lock still has its potential. If the participants were better trained to use Spiral lock before experiments, the difference between Pattern lock and Spiral lock might be more significant. In regards to PIN lock vs. Spiral/Pattern lock, one thing we notice is that the unlocking of Pattern lock and Spiral lock are both faster than PIN lock, which is opposite to the results of the research mentioned in our literature review. The reason is possibly the length of the passwords. A big difference between Pattern/Spiral lock and PIN lock is the length of passwords. For PIN lock, the length of passwords is fixed, which is four, but for Pattern/Spiral lock, the length of passwords is variable. For example, if the length of password of Pattern lock is twenty, it is obvious and reasonable that the time used to unlock the Pattern lock is longer than the time to unlock a regular PIN lock. But usually, users will not set such a long lock password for their mobile phones. Therefore, choosing the length of passwords is crucial in the experiments. In our experiments, the length average of password for Pattern Lock is 5.7, the range of it is 4 ~ 9, the length average of password for Spiral Lock is 5.8, the range of it is 4 ~ 10. As noticed the average lengths of Pattern Lock and Spiral Lock are both longer than the length of the PIN lock password, but the Pattern and Spiral locks still outperform the PIN lock. The PIN lock has fewer failed unlockings than both Spiral and Pattern lock. This is in line with our hypothesis. There are two main possible reasons. The first one is the length of passwords. As mentioned above, the average lengths of passwords of Pattern and Spiral lock are both longer than the length of PIN lock passwords. Usually, the longer the password is, the higher the possibility to make a mistake. The second possible reason is that because of the influence of frictional force, drawing on the screen is less accurate than tapping on the screen. An interesting fact we found in our questionnaire result is that even though PIN lock is considered to be the most

comfortable to use, it is the least preferred among all locks. In the experiments, PIN lock had the fewest failed unlockings, and knowing this to be the case during the experiment for each participant, it could possibly be the reason why PIN lock is considered the most comfortable. However, for preference many participants feel numeric passwords are harder to remember, while they can easily memorize shape-based password. As we expected, Pattern lock is ranked first as the most preferred by the participants. Spiral lock is new, the participants require a reasonable amount of time to gain familiarity towards it and this may be the reason for the preference level it was given. CONCLUSION We conducted the evaluation and analysis of three types of locks, Pattern, PIN and one designed by ourselves, that is the Spiral lock. On the unlocking speed aspect, Spiral lock is considered the winner with an average time of 0.937s, while PIN lock was the slowest. However, the number of failed unlockings of the PIN lock is the fewest with an average of 1.22. Unfortunately we couldn t gain significant results between the Pattern lock and Spiral lock in regards to the number of failed unlockings. On the other hand from a participant point of view and feedback, we conclude that although the PIN lock was the most comfortable lock it was the least preferred leaving the Pattern lock as the participants best choice. Our reasoning for why the Spiral is the second preferred choice is potentially due to it being foreign or new to the participants and as such taking into account the results of the above quantitative and qualitative measures, we can say that the Spiral lock holds great potential. One of the limitations of our work is that we did not additionally conduct experiments where all three locks have the same lengths of passwords, which would give a more accurate and straightforward result of performances of the three types of lock. Another limitation is the number of participants in our experiments. We only gathered twentyseven participants. The results would be more convincing if we had more participants. Memory is also influences our experiment, where some misremembered the passwords presented. This type of error does not involve the lock user interface design. Future work could be done by taking into account the above mentioned limitations. However, in conclusion we believe we have demonstrated that the Spiral lock design presented does hold significant potential in enhancing and improving upon the limitations of common lock designs such as Pattern and Spiral and is a potential step forward in regards to speed and error rate efficiency. ACKNOWLEDGMENTS We thank all the volunteers, and staff, who wrote and provided helpful comments on previous versions of this document. As well authors 1, 2, 3, & 4 gratefully acknowledge the guidance and teachings of Olivier St-Cyr and Aakar Gupta. REFERENCES 1. Gartner. Gartner Forecast: Mobile Phones, Worldwide, 2011-2017, 2Q13 Update. 2.Falaki, H., Mahajan, R., Kandula, S., Lymberopoulos, D., Govindan, R., and Estrin, D. (2010) Diversity in Smartphone Usage. Proc. MobiSys 10, ACM, 179-194 3.Klasnja, P., Harrison, B.L., LeGrand, L., LaMarca, A., Froehlich, J., Hudson, S.E. Using wearable sensors and real time inference to understand human recall of routine activities. Ubicomp 2008: 154-163 4.Oulasvirta, A., Rattenbury, T., Ma, L., and Raita, E. (2012) Habits make smartphone use more pervasive. Personal and Ubiquitous Computing, 16(1), 105-114. 5.Zezschwitz, E.V., Dunphy, P., De Luca, A. Patterns in the Wild: A Field Study of the Usability of Pattern and PINbased Authentication on Mobile Devices 6.Clarke, N.L., Furnell, S.M., Rodwell, P.M., Reynolds P.L. Acceptance of subscriber authentication methods for mobile telephony devices. Computers & Security, 21 (3). (2002), 220-228. 7.Nelson, D. L., Reed, V. S., Walling, J. R. Pictorial superiority effect. Journal of Experimental Psychology: Human Learning and Memory 2 (5). (1976), 523-528. 8.Standing, L. Learning 10,000 pictures. The Quarterly Journal of Experimental Psychology, 25(2). (1973), 20722. 9.Fleishman, E., Parker, J. Factors in the retention and relearning of perceptual-motor skill. Journal of Experimental Psychology, 64. (1962), 215 226. 10.Shadmer, R., Brashers-Krug, T. Functional stages in the formation of human long-term motor memory. The Journal of Neuroscience, 17(1). (1997), 409-419. 11.Dunphy, P., Yan, J. Do background images improve "draw a secret" graphical passwords? In Proceedings CCS 2007. ACM Press (2007), 36-47. 12.Weiss, R., De Luca, A. PassShapes: utilizing stroke based authentication to increase password memorability. In Proceedings NordiCHI 2008. ACM Press (2008), 383392. 13.De Luca, A., Denzel, M. and Hussmann, H. Look into my eyes! Can you guess my password? In Proceedings SOUPS 2009. ACM Press (2009), 7:1-7:12. 14.Rogers, J. Please enter your four-digit pin. Financial Services Technology, U.S. Edition Issue 4 (Mar. 2007). 15.Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., Smith, J. M. Smudge attacks on smartphone touch screens. In USENIX 4th Workshop WOOT 2010. 16.Karlson, A., Brush, A.J., Schechter, S. Can I borrow your phone? Understanding concerns when sharing mobile phones. In Proceedings CHI 2009. ACM Press (2009), 1647-1650