Accession Number:



Baseline Measurements of Shoulder Surfing Analysis and Comparability for Smartphone Unlock Authentication

Descriptive Note:

Technical Report

Corporate Author:


Personal Author(s):

Report Date:


Pagination or Media Count:



In this research, we explore a novel approach to measuring the susceptibility of smarthphone unlock authentication to shoulder surfing attacks. We have created a series of video recordings where researchers enter authentication sequences into mobile devices e.g. PINs, graphical patterns with lines, and graphical patterns without lines in a controlled setting. These videos are designed to simulate shoulder surfing settings under varied attack conditions. Camera angles have been selected to mimic the locations where observational attacks make take place. Participants have taken the survey and played the role of attackers, viewing video-recorded footage of PIN and graphical pattern authentication input with various camera angles, hand positions, phone seizes and authentication length and strength. In this study, we recruited 94 midshipman participants as well as 1164 more respondents via Amazon Mechanical Turk, an online service to recruit survey participants. Based on the collected data, for example, measurements of the success rate of an attack and the recording methodology developed, we provide insight into the factors of mobile unlock authentication which best and least resist shoulder surfing attacks, as well as examine scenarios where weaknesses may occur. There are significant differences in success rates between the different authentication types. For PINs with a single view, the average success rate is 23.04 . The pattern with lines authentication has more than triple the success rate with a single view at 72.44 . The goal of this research is to identify more effective guidance for mobile device users to avoid observational attacks. We also aim to advance the methodologies used to measure the shoulder surfing attacks surfaces where baselines of comparisons to preexisting systems e.g. PINs and patterns are not standardized.

Subject Categories:

  • Computer Systems Management and Standards
  • Radio Communications

Distribution Statement: