Smudge attack

From Wikipedia, the free encyclopedia
An iPad used by children with its touchscreen covered with fingerprint smudges

A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010.[1][2] An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents.[2] Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.[1]

Smudge attacks are particularly successful when performed on devices that offer personal identification numbers (PINs), text-based passwords, and pattern-based passwords as locking options.[3] There are various proposed countermeasures to mitigate attacks, such as biometrics, TinyLock, and SmudgeSafe, all which are different authentication schemes.[4][5][6] Many of these methods provide ways to either cover up the smudges using a stroking method or implement randomized changes so previous logins are different from the current input.


The smudge attack method against smartphone touch screens was first investigated by a team of University of Pennsylvania researchers and reported at the 4th USENIX Workshop on Offensive Technologies. The team classified the attack as a physical side-channel attack where the side-channel is launched from the interactions between a finger and the touchscreen. The research was widely covered in the technical press, including reports on PC Pro, ZDNet,[7] and Engadget.[8] The researchers used the smudges left behind on two Android smartphones and were able to break the password fully 68% of the time and partially 92% of the time under proper conditions.[1]

Once the threat was recognized, Whisper Systems introduced an app in 2011 to mitigate the risk. The app provided their own versions of a pattern lock and PIN authentication that required users to complete certain tasks to cover up the smudges created during the authentication process. For the PIN verification option, the number options were vertically lined-up, and user were required to swipe downward over the smudged area. For the pattern lock, the app presented a 10x10 grid of stars the users had to swipe over and highlight before accessing the home screen.[9][10]


An iPad clearly showing the fingerprint smudges left behind on the touchscreen

Interpreting the smudges on the screen requires less equipment, and there is less experience needed to be an attacker. In combination with the negative ramifications for victims of an attack, there is a lot of concern in relation to this type of attack. The smudge attack approach could also be applied to other touchscreen devices besides mobile phones that require an unlocking procedure, such as automatic teller machines (ATMs), home locking devices, and PIN entry systems in convenience stores. Those who use touchscreen devices or machines that contain or store personal information are at a risk of data breaches. The human tendency for minimal and easy-to-remember PINs and patterns also lead to weak passwords, and passwords from weak password subspaces increase the ease at which attackers can decode the smudges.[11]

Same iPad after wiping screen for exactly 6 seconds with jacket sleeve still with visible fingerprint marks

Smudge attacks are particularly dangerous since fingerprint smudges can be hard to remove from touchscreens, and the persistence of these fingerprints increases the threat of an attack. The attack does not depend on finding perfect smudge prints, and it is still possible for attackers to figure out the password even after cleaning the screen with clothing or with overlapping fingerprints.[2] Cha et al.[12] in their paper, "Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks," tested an attack method called smug that combined smudge attacks and pure guessing attacks. They found that even after the users were asked to use the Facebook app after unlocking the device, 31.94% of the phones were cracked and accessed.[12]

Another danger of smudge attacks is that the basic equipment needed to perform this attack, a camera and lights, is easily obtainable. Fingerprint kits are also an accessible and additional, but not required, piece of equipment ranging from $30-$200. These kits increase the ease with which an attacker can successfully break into a phone in possession.[13]

Types of attackers[edit]

The team at the University of Pennsylvania identified and considered two types of attackers: passive and active.


An active attacker is classified as someone who has the device in hand and is in control of the lighting setup and angles. These attackers can alter the touchscreen in a way to better identify the PIN or pattern code by cleaning or using fingerprint powder.[2] A typical setup from an active attacker could include a mounted camera, the phone placed on a surface, and a single light source. Slight variations in the setup include the type and size of the light source and the distance between the camera and the phone. A more experienced attacker would pay closer attention to the angle of the light and camera, the lighting source, and the type of camera and lens used to get the best picture, taking into account the shadows and highlights when the light reflects.[1]


A passive attacker is an observer who does not have the device in hand and instead has to perform an eavesdropping-type attack.[2] This means they will wait for the right opportunity to collect the fingerprint images until they can get in possession of the gadget. The passive attacker does not have control of the lighting source, the angle, the position of the phone, and the condition of the touchscreen. They are dependent on the authorized user and their location to get a good quality picture to crack the security code later on.[1]

Methods and techniques[edit]

There are different steps and techniques that attackers use to isolate the fingerprint smudges to determine the lock pattern or PIN. The attacker first has to identify the exact touch screen area, any relevant smudges within that area, and any possible combination or pattern segments.[12]


In the cases where the fingerprints are not super visible to the eye, preprocessing is used to identify the most intact fingerprints determined by the number of ridge details they have. Selecting the fingerprints with the most ridge details differentiates between the user's fingerprints and those with whom the device is shared.[13] When pressing a finger down on the touch screen surface to create a fingerprint, the liquid from the edges of the ridges fill in the contact region. This fingerprint liquid is made up of substances from the epidermis, the secretory glands, and extrinsic contaminants such as dirt or outside skin products. As the fingertip is lifted, the liquid also retracts, leaving behind the leftover traces.[14] Attackers are able to use fingerprint powder to dust over these oil smudges to unveil the visible fingerprint and their ridges. The powder can enhance the diffuse reflection, which reflects from rough surfaces and makes the dusted smudge more visible to the human eye. There are different powders to choose from based on the colors that best contrasts with the touchscreen and the environment. Examples of powders are aluminum, bronze, cupric oxide, iron, titanium dioxide, graphite, magnetic, and fluorescent powder. This dusting action also mimics the processes used in a crime scene investigation.[13]

Preserving fingerprints[edit]

Preserving fingerprints utilizes a camera to capture multiple pictures of the fingerprint images or the keypad with different light variations. Generally, high-resolution cameras and bright lights work the best for identifying smudges. The goal is to limit any reflections and isolate the clear fingerprints.[13]

Visibility of objects[edit]

The visibility of the fingerprint relies on the light source, the reflection, and shadows. The touch screen and surface of a smart device can have different reflections that change how someone views the image of the fingerprint.[13]

  • Diffuse Reflection : Incident rays that are reflected at many angles and produced from rough surfaces. Diffuse reflection of light reflects the image of the fingerprint that the human eye can see. The techniques used in preprocessing and strong light enhances the diffuse reflection for a clearer photo.[13]
  • Specular Reflection : Incident rays are reflected at one angle and produced from smooth surfaces. Specular reflection of light reflects a "virtual" image (since it doesn't produce light) that seems to come from behind the surface. An example of this is a mirror.[15]

Mapping fingerprints to keypad[edit]

Fingerprint mapping uses the photographed smudge images to figure out what keys were used by laying the smudge images over the keypad or by comparing the image with a reference picture. Mapping the positions of smudges helps the attacker figure out which tapped keys were used by the authorized user. First, the fingerprints and keypad images are resized and processed to find the areas the corresponding fingerprints and keys occupy. Next, the Laplace edge detection algorithm is applied to detect the edges of the ridges of a finger, sharpen the overall fingerprint, and eliminate any of the background smudges. The photo is then converted into a binary image to create a contrast between the white fingerprints and the black background. Using this image with grid divisions also helps clarify where the user has tapped based on the locations with the largest number of white dots in each grid area.[13]

Differentiating between multiple fingerprints[edit]

In the case that there are multiple users, grouping fingerprints can help classify which ones belong to each person. Fingerprints have both ridges and valleys, and differentiating them is determined by the overall and local ridge structure. There are three patterns of fingerprint ridges– arch, loop, and whorl– that represent the overall structure, and the ridge endings or bifurcation represent the local structure or minutiae points.[4] Different algorithms incorporate these fingerprint traits and structure to group the fingerprints and identify the differences. Some examples of algorithms used are Filterbank, adjacent orientation vector (AOV) system, and correlation-filter.[13]

  • Filterbank requires whole fingerprints and cannot identify just the tips of the finger since it uses both the local and overall structure. The algorithm works by selecting a region of interest and dividing it into sectors. A feature vector with all the local features is formed after filtering each sector, and the Euclidean distance of the vectors of two fingerprint images can be compared to see if there is a match.[13]
  • Adjacent orientation vector system matches fingerprints based only on the number of minutiae pairs and the finger details rather than the global/overall structure of the finger. The algorithm works by numbering all of the ridges of the minutiae pairs and creating an AOV consisting of that number and the difference between adjacent minutiae orientations. The AOV score or distance of the two fingerprints are computed and checked against a threshold after fine matching to see if the fingerprints are the same.[13]
  • Correlation filter works with both whole fingers and fingertips. This algorithm works by using a correlation filter or training image of the fingerprint to the image to find the local and overall ridge pattern and ridge frequency. When verifying a fingerprint, the transformation is applied to the test image and multiplied by the results of applying the correlation filter on the person of interest. If the test subject and template match, there should be a large result.[13]

Smudge-supported pattern guessing (smug)[edit]

Smug is a specific attack method that combines image processing with sorting patterns to figure out pattern-based passwords. First, the attackers take a picture of the smudge area using an appropriate camera and lighting. Using an image-matching algorithm, the captured image is then compared to a reference picture of the same device to properly extract a cropped picture focused on the smudges. Next, the smudge objects are identified using binary, Canny edge detection, and Hough transformation to enhance the visibility of the fingerprint locations. Possible segments between the swipes and points are detected with an algorithm to form the target pattern. The segments are then filtered to remove unwanted and isolated edges to only keep the edges that follow the segment direction. These segments are identified by figuring out if the smudge between two grid points is part of a pattern after comparing the number of smudge objects against the set threshold. Lastly, these segments are used in a password model to locate potential passwords (e.g. n-gram Markov model). An experiment conducted found that this method was successful in unlocking 360 pattern codes 74.17% of the time when assisted by smudge attacks, an improvement from 13.33% for pure guessing attacks.[12][16]

Types of vulnerable security methods[edit]

Smudge attacks can be performed on various smart device locking methods such as Android Patterns, PINs, and text-based passwords. All of these authentication methods require the user to tap the screen to input the correct combination, which leads to susceptibility to smudge attacks that look for these smudges.[17]

Personal Identification Numbers (PINs)[edit]

PINs are not only susceptible to smudge attacks but other attacks possible through direct observation like shoulder-surfing attacks or just pure guessing like brute-force attacks. They are also used heavily in electronic transactions or for using ATMs and other banking situations. If a PIN is shared or stolen, the device or machine cannot detect whether the user is the rightful owner since it only relies on if the correct number is inputted. In relation to smudge attacks, this allows attackers to easily steal information since there is no other way to authenticate the user for who they actually are.[18]

Text-based passwords[edit]

Touchscreen devices that use text-based passwords will contain fingerprint smudges in the location of corresponding numbers or letters on the alphanumeric keypad. Attackers can use this to perform the smudge attack. The downfall to text-based passwords is not only its vulnerability to smudge attacks but also the tendency of users to forget the password. This causes many users to use something that is easy to remember or to reuse multiple passwords across different platforms. These passwords fall under what is called a weak password subspace within the full password space and makes it easier for attackers to break in through brute-force dictionary attacks.[11] A 2017 study reviewed 3289 passwords, and 86% of them had some sort of structural similarity such as containing dictionary words and being short.[19]

Draw-a-Secret (DAS)[edit]

Draw-a-Secret is a graphical authentication scheme that requires the users to draw lines or points on a two-dimensional grid. A successful authentication depends on if the user can exactly replicate the path drawn. Android Pattern Password is a version of Pass-Go that follows the concept of DAS.[20][21]


Pass-Go uses a grid so that there isn’t a need to store a graphical database and allows the user to draw a password as long as they want. Unlike DAS, the scheme relies on selecting the intersections on a grid instead of the cells on the screen, and users can also draw diagonal lines. Tao and Adam who proposed this method found that over their three month study, many people drew longer pattern passwords, which goes against the tendency to choose minimal and easy-to-remember passwords.[22]

Android pattern passwords[edit]

Android pattern lock is a graphical password method introduced by Google in 2008 where users create a pattern on a line-connecting 3x3 grid.[16] About 40% of Android users use pattern lock to secure their phones.[16] There are 389,112 possible patterns that the user can draw up.[23] Each pattern must contain at least 4 points on the grid, use each contact point once, and cannot skip intermediate points between points unless it's been used earlier.[21] Touchscreen devices that use Android pattern lock will leave behind swipes that give away the right location and combination an attacker needs to unlock the phone as an unauthorized user. The security of Android pattern lock against smudge attacks was tested by researchers at the University of Pennsylvania, and from the swipes left behind from the drawn pattern, they were able to discern the code fully 68% of the time and partially 92% of the time under proper conditions.[1]


Physiological biometrics such as Android Face Unlock, iPhone Touch ID and Face ID, and Trusted Voice have been recently implemented in mobile devices as the main or alternative method of validation. There are also other novel ways that have potential to be a future security scheme but haven't been implemented yet into mainstream usage.[24] Some of these ways avoid the requirement to input anything with their fingers and thus eliminating the ability for attackers to use smudges to determine the password lock.

Strong passwords[edit]

Although there are many countermeasures that help protect against smudge attacks, creating secure passwords can be the first step to protecting a device. Some of the recommended steps are:[25]

  • Passwords should be at least 8 characters long. A longer password strays away from the weak password subspace and makes it harder for the attacker to interpret more fingerprint smudges
  • Avoid using words in the dictionary as they can be more common and make the password weak.
  • Change passwords frequently.
  • Use randomly generated passwords. Random passwords prevent a user from selecting commonly used and easy-to-remember words that are easily susceptible to attacks.
  • Avoid using the same password for every security authentication system. This prevents attackers from accessing other information if they happen to discover one of the passwords.

Although these are the recommended tips for stronger passwords, users can run out of strong password options they will remember and later forget the passcode after frequent changes. To avoid this, users tend to choose short, weaker passwords to make it more convenient and shorten the unlocking time.[26]

Anti-fingerprint protection[edit]

Researchers have looked into anti-fingerprint properties that can allow people to keep their current password schemes and not worry about the leftover smudges. Surfaces that are able to repel the water and oils from the finger are called amphiphobic. Surfaces that have low surface energy and surface transparency (low roughness) are typically anti-smudge due to their higher contact angles and low molecular attraction. Low molecular attraction means that there is little to no adhesion for the oil and water molecules to bind to the surface and leave behind a trace. However, achieving these properties while still functioning as a touchscreen is hard as the low surface energy alters the durability and functionality of the touchscreen itself.[14]

With this research, various anti-smudge screen protectors have been put on the market such as Tech Armor's anti-glare and anti-fingerprint film screen protector and ZAGG's InvisibleShield Premium Film and Glass Elite (tempered glass) antimicrobial screen protectors. ZAGG markets its InvisibleShield as smudge resistant, glare resistant, and scratch proof.[27] These phone accessories can range from 30 to 60 dollars.[28]

There have also been various smartphones on the market that have been pitched as having an oleophobic coating, which resists oil to keep the touchscreen free from fingerprints. The oleophobic screen beads up any oil residuals, preventing them from sticking to the surface and making it easy to wipe finger residuals off without smearing.[29] In July 2016, Blackberry released the DTEK50 smartphone with an oleophobic coating.[30][28] Other phone developers have used this for the touchscreens of their devices such as Apple's many generations of iPhones,[31][32] Nokia, and Lumia. and HTC Hero.[33]


Biometrics is a type of authentication that identifies a user based on their behavior or physical characteristics, such as keystrokes, gait, and facial recognition rather than what one can recall or memorize.[4] A biometrics system takes the unique features from the individual and records them as a biometric template, and the information is compared with the current captured input to authenticate a user.[34] Biometrics is categorized as either physiological or behavioral by the US National Science and Technology Council’s Subcommittee (NSTC) on Biometrics.[35] This type of security can serve as a secondary protection to traditional password methods that are susceptible to smudge attacks on their own since it doesn't rely on entering a memorized number or pattern or recalling an image. Research conducted on biometric authentication found that a mix or hybrid of biometrics and traditional passwords or PINs can improve the security and usability of the original system.[36]

One of the downsides to biometrics is mimicry attacks where the attackers mimic the user. This can increase the vulnerability of the device if attackers turn to methods that allow them to copy the victim’s behavior. Some of these methods include using a reality-based app that guide attackers when entering the victim’s phone or using transparent film with pointers and audio cues to mimic the victim’s behavior.[37] Another vulnerability is that the biometric template can be leaked or stolen through hacking or other various means to unauthorized people.[38][39] A possible solution to any theft, leak, or mimicry are fingerprint template protection schemes as they make it difficult for attackers to access the information through encryption and added techniques.[36][38]


Physiological biometrics authenticates a user based on their human characteristics. Measuring the characteristics unique to each individual creates a stable and mostly consistent mechanism to authenticate a person since these features do not change very quickly. Some examples of physiological biometric authentication methods are listed below.[35]


Behavioral biometrics authenticates a user based on the behavior, habits, and tendencies of the true user. Some examples include voice recognition, gait, hand-waving, and keystroke dynamics.[35] The schemes listed below have been proposed to specifically protect from smudge attacks.

  • Touch-Interaction: Touch-interaction is a proposed way of authenticating a user based on their interactions with the touch screen such as tapping or sliding. There are two types: static that checks the user once and continuous that checks the user multiple times. The convenience of this method is that it doesn't require extra sensors and can check and monitor the user in the background without the help or attention of the user. Chao et al. describes the process in which the up, down, right, and left motions are checked in terms of the position of the finger, the length of the swipe, the angle, the time it takes, the velocity, acceleration, and finger pressure. In their conducted experiment, they tested on how usable and reliable the touch-based method is and found that all of the touch operations were stable and blocked unauthorized users with an expected error rate of 1.8%. However, there are still other factors like the smartphone type, the software, environment, familiarity of the phone, and physical state of the user that could create variability and thus a higher rate of error.[40]
  • BEAT : This specific unlocking method is called BEAT, which authenticates the behavior of the user or how they perform a gesture or signature. A gesture is swiping or pinching the touch screen, and a signature scheme requires the user to sign their name. This method is secure from smudge attacks and also does not need extra hardware. BEAT works by first asking the user to perform the action 15 to 20 times to create a model based on how they performed the action to use for authentication. The features identified are velocity magnitude, device acceleration, stroke time, inter-stroke time, stroke displacement magnitude, stroke displacement direction, and velocity direction. Machine learning techniques are then applied to determine whether the user is legitimate or not. An experiment was conducted using the BEAT method on Samsung smartphones and tablets and found that after collecting 15,009 gesture samples and 10,054 signature samples, the error rate of 3 gestures is 0.5% and about 0.52% for one signature.[41]


SmudgeSafe is another authentication method protected from smudge attacks that uses 2-dimension image transformations to rotate, flip, or scale the image at the login screen page. The user will draw a graphical password shaper created from the points on an image as usual, but the image will look different every time the user logs in. The changes done on the image are randomized, so previous login smudges do not give hints to attackers on what the input is. To ensure that the transformations applied will significantly change the locations of the password points, the area of these specific locations on the image is restricted. In a study comparing SmudgeSafe's graphical authentication method to lock patterns and PINs, SmudgeSafe performed the best with a mean of 0.51 passwords guessed per participant. The pattern lock had a mean of 3.50 and PINs had a mean of 1.10 passwords correctly guessed per participant.[6]


TinyLock was proposed by Kwon et al.[5] and uses two grids; the top one is for the pressed cells for the confirmation process, and the bottom one is a drawing pad for the authentication process.[5] The top grid is used to notify the user by flickering and vibrating if the user is on the correct initial dot before they start drawing. The bottom half of the screen contains a tiny 3 x 3 grid used for drawing the secret password. The grid is much smaller in size compared to traditional pattern locks, which forces the user to draw in a confined space to squeeze all the smudges in a small area. This method mitigates smudge attacks because the smudges are all smushed together, and the users are required to draw a circular virtual wheel in either direction after drawing the pattern password. However, this method is not completely free from shoulder-surfing attacks.[20] Also, another drawback is the grid dots are hard to visualize due to the small size, which makes it difficult to draw complex patterns and unlock without error.[16]


ClickPattern uses a 3 x 3 grid labeled one through nine, and the user has to click on the nodes that correlate with the end of a drawn line to prevent swiping on the screen. Doing this creates smudges that are harder to distinguish from normal screen usage. If anything, the smudges created will reveal the nodes used but not the pattern, thus being more protected from smudge attacks than Android pattern lock. On the lock screen, ClickPattern consists of these three components:[42]

  • Grid 3 x 3
  • Table numbered 1- 9
  • Okay and Undo Button

The user is authenticated when the inputted pattern is the same as the original pattern and in the same exact order and direction. To create a valid pattern, the pattern must have at least 4 points and none of them can be used more than once. The pattern will also always contain dots in between a sequence, even though it does not necessarily need to be clicked. Users can also go through previously used dots to access an unused node.[42]

Multi-touch authentication with Touch with Fingers Straight and Together (TSFT)[edit]

This multi-touch authentication uses geometric and behavioral characteristics to verify users on a touch screen device. According to Song et al.,[43] this TFST gesture takes an average of 0.75 seconds to unlock, is very easy to use, and simple to follow. The user puts two to four fingers together in a straight position, decreasing the amount of surface compared to other multi-touch methods. With the fingers in this fixed hand posture, the user can choose to either trace a simple or complex pattern, and the screen will pick up the positions of the fingers and record each trace movement in the form of touch events. These touch events account for the X and Y-coordinates, the amount of pressure applied, the finger size, the timestamp, and the size of the touched area, and are compared to the template created during the registration process.[19] The physiological features or hand geometry include a measurement between possible strokes from the performed gesture. Horizontal strokes track the finger length differences, and vertical strokes track the finger width. Since the user always places their fingers in a straight position, the measurements of the finger will stay the same and provide consistent verification. Lastly, there are behavioral features that are traced, specifically the length of the stroke, the time it takes, the velocity of the stroke, the tool or the area for each touch point in relation to finger size, the touch area size, the pressure applied, and the angle of the stroke. For one stroke, there are 13 behavioral features, and this increases to 26, 39, and 52 for up to four strokes.[43]

Bend passwords[edit]

With new technology geared towards creating a flexible display for smartphone devices, there are more opportunities to create novel authentication methods. Bend passwords are an original type of password authentication used for flexible screens. It involves different bend gestures that the users perform by twisting or disfiguring the display surface, and there are a total of 20 gestures currently available. The bending can be a part of a single gesture by individually bending one of the four corners of the display or part of a multi-bend gesture by simultaneously bending pairs of corners.[44]

Fractal-Based Authentication Technique (FBAT)[edit]

A new proposed authentication method called Fractal-Based Authentication Technique (FBAT) uses Sierpinski’s Triangle to authenticate users. This process combines recognition-based and cued recall-based authentication as the users have to recognize and click on their personal pre-selected color triangles as the level of triangles increases. For smartphones, the level of triangles is set at 3 due to the limited size of the touch screen, but it can increase for bigger tablets. At level 3, the probability that an attacker will guess the password is 0.13%. Recognition-based requires users to recognize pre-selected images and cued recall-based graphical requires users to click on pre-selected points on an image. In the Sierpinski triangle, a selected colored pattern is created during the registration and is hidden in the device. To authenticate themselves, a user must select the correct pattern in each level while the triangles randomly shuffle. Since the colored triangles are randomly generated, they can be found in different locations for every authentication, thus leaving smudges behind that do not give any clues to potential attackers. This technique can be used on Android devices, ATM machines, laptops, or any device that uses authentication to unlock.[25]

2 x 2 and 1 x 2 Knock Code[edit]

Knock Code is authentication method introduced by LG Electronics that allows users to unlock a phone without turning it on by tapping the correct area in the right sequence. The screen is split into four sections, with the vertical and horizontal lines changing.[45] There are two variations of Knock Code that have been proposed—the 2 x 2 and 1 x 2 knock code. These variations can protect against smudge attacks due to the sliding operations that erase the knocking at the end after the taps are inputted. In a user study that compared the original Knock Code and the Android Pattern Lock, these variation schemes were more resistance to smudge attacks.[20]

  • 2 x 2 knock code: The 2 x 2 knock code adds the sliding gesture which helps increase the amount of password combinations to about 4.5 billion ways or 53 thousand times bigger than the original Knock Code. This scheme uses four parts of the grid and aims to decrease the amount of gestures performed while still having a high level of security.[20]
  • 1 x 2 knock code: The 1 x 2 scheme also uses sliding operations but decreases the amount of areas to two that are side-to-side. Flexible area recognition, which is the algorithm used, doesn’t allow sliding operations in the same area for convenience, and the user only has to use their thumb to unlock the phone. The amount of passwords in the subspace is the exact same as the original Knock Code.[20]


There has been movement towards physiological biometric authentication in current smartphone security such as fingerprint and facial recognition that allow the user to replace their PINs and alphanumeric passcodes.[4] However, even new and advanced authentication methods have flaws and weaknesses that users can take advantage of. For example, in an examination of touch authentication, researchers observed similar swiping behavior and finger pressure in a large number of phone users, and this generic information can aid attackers in performing successful attacks.[39] Research on biometrics and multi-gesture authentication methods is continuing to help combat attacks on traditional passwords and eliminate the vulnerabilities of novel schemes as new trends and new technology are developed.[18]

See also[edit]


  1. ^ a b c d e f Aviv, Adam J.; Gibson, Katherine; Mossop, Evan; Matt, Matt; Jonathan, Smith (2010). "Smudge attacks on smartphone touch screens" (PDF). USENIX Association: 1–7 – via In Proceedings of the 4th USENIX conference on Offensive technologies.
  2. ^ a b c d e Spreitzer, Raphael; Moonsamy, Veelasha; Korak, Thomas; Mangard, Stefan (2018). "Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices". IEEE Communications Surveys & Tutorials. 20 (1): 465–488. doi:10.1109/comst.2017.2779824. hdl:2066/187230. ISSN 1553-877X. S2CID 206578562.
  3. ^ von Zezschwitz, Emanuel; Koslow, Anton; De Luca, Alexander; Hussmann, Heinrich (2013). "Making graphic-based authentication secure against smudge attacks". Proceedings of the 2013 international conference on Intelligent user interfaces. New York, New York, USA: ACM Press. p. 277. doi:10.1145/2449396.2449432. ISBN 978-1-4503-1965-2. S2CID 13389690.
  4. ^ a b c d Meng, Weizhi; Wong, Duncan S.; Furnell, Steven; Zhou, Jianying (2015). "Surveying the Development of Biometric User Authentication on Mobile Phones". IEEE Communications Surveys & Tutorials. 17 (3): 1268–1293. doi:10.1109/comst.2014.2386915. ISSN 1553-877X. S2CID 8918672.
  5. ^ a b c Kwon, Taekyoung; Na, Sarang (2014-05-01). "TinyLock: Affordable defense against smudge attacks on smartphone pattern lock systems". Computers & Security. 42: 137–150. doi:10.1016/j.cose.2013.12.001. ISSN 0167-4048. S2CID 15147662.
  6. ^ a b Schneegass, Stefan; Steimle, Frank; Bulling, Andreas; Alt, Florian; Schmidt, Albrecht (2014-09-13). "SmudgeSafe". Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing. UbiComp '14. Seattle, Washington: Association for Computing Machinery. pp. 775–786. doi:10.1145/2632048.2636090. ISBN 978-1-4503-2968-2. S2CID 15505553.
  7. ^ Danchev, Dancho. "Researchers use smudge attack, identify Android passcodes 68 percent of the time". ZDNet. Retrieved 2020-11-08.
  8. ^ "Shocker: Touchscreen smudge may give away your Android password pattern". Engadget. Retrieved 2020-11-08.
  9. ^ "Android and data loss protection (archived web page)". Whisper Systems. Archived from the original on June 28, 2012. Retrieved 28 June 2012.{{cite web}}: CS1 maint: unfit URL (link)
  10. ^ "[New App] WhisperCore Prevents Smudge Attacks On Android Phones - With The Sacrifice Of Convenience, That Is". Android Police. 2011-06-02. Retrieved 2020-11-14.
  11. ^ a b Oorschot, P. C. van; Thorpe, Julie (January 2008). "On predictive models and user-drawn graphical passwords". ACM Transactions on Information and System Security. 10 (4): 1–33. doi:10.1145/1284680.1284685. ISSN 1094-9224. S2CID 3849996.
  12. ^ a b c d Cha, Seunghun; Kwag, Sungsu; Kim, Hyoungshick; Huh, Jun Ho (2017-04-02). "Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks". Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 313–326. doi:10.1145/3052973.3052989. ISBN 978-1-4503-4944-4. S2CID 2717197.
  13. ^ a b c d e f g h i j k Zhang, Yang; Xia, Peng; Luo, Junzhou; Ling, Zhen; Liu, Benyuan; Fu, Xinwen (2012). "Fingerprint attack against touch-enabled devices". Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices. New York, New York, USA: ACM Press. p. 57. doi:10.1145/2381934.2381947. ISBN 978-1-4503-1666-8. S2CID 13841585.
  14. ^ a b Belhadjamor, M.; El Mansori, M.; Belghith, S.; Mezlini, S. (2016-12-30). "Anti-fingerprint properties of engineering surfaces: a review". Surface Engineering. 34 (2): 85–120. doi:10.1080/02670844.2016.1258449. ISSN 0267-0844. S2CID 136311346.
  15. ^ "Molecular Expressions Microscopy Primer: Light and Color - Specular and Diffuse Reflection: Interactive Tutorial". Retrieved 2020-11-06.
  16. ^ a b c d Li, Qingqing; Dong, Penghui; Zheng, Jun (2020-01-11). "Enhancing the Security of Pattern Unlock with Surface EMG-Based Biometrics". Applied Sciences. 10 (2): 541. doi:10.3390/app10020541. ISSN 2076-3417.
  17. ^ Ibrahim, Tahir Musa; Abdulhamid, Shafi'i Muhammad; Alarood, Ala Abdusalam; Chiroma, Haruna; Al-garadi, Mohammed Ali; Rana, Nadim; Muhammad, Amina Nuhu; Abubakar, Adamu; Haruna, Khalid; Gabralla, Lubna A. (August 2019). "Recent advances in mobile touch screen security authentication methods: A systematic literature review". Computers & Security. 85: 1–24. doi:10.1016/j.cose.2019.04.008. ISSN 0167-4048. S2CID 145940751.
  18. ^ a b Ratha, N. K.; Connell, J. H.; Bolle, R. M. (2001). "Enhancing security and privacy in biometrics-based authentication systems". IBM Systems Journal. 40 (3): 614–634. doi:10.1147/sj.403.0614. ISSN 0018-8670. S2CID 10691349.
  19. ^ a b Liu, Can; Clark, Gradeigh D.; Lindqvist, Janne (2017-03-30). "Guessing Attacks on User-Generated Gesture Passwords". Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies. 1 (1): 3:1–3:24. doi:10.1145/3053331. S2CID 11303893.
  20. ^ a b c d e "Enhanced Knock Code Authentication with High Security and Improved Convenience". KSII Transactions on Internet and Information Systems. 12 (9). 2018-09-30. doi:10.3837/tiis.2018.09.024. ISSN 1976-7277.
  21. ^ a b Andriotis, Panagiotis; Tryfonas, Theo; Oikonomou, George (2014), Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method, Lecture Notes in Computer Science, Cham: Springer International Publishing, pp. 115–126, doi:10.1007/978-3-319-07620-1_11, ISBN 978-3-319-07619-5, retrieved 2020-11-18
  22. ^ Tao, Hai; Adams, Carlisle (September 2008). "Pass-Go: A Proposal to Improve the Usability of Graphical Passwords". International Journal of Network Security. 7 (2): 273–292. CiteSeerX
  23. ^ Harper, Elizabeth. "Your Android Phone's Pattern Lock Is Easy to Guess". Retrieved 2020-12-01.
  24. ^ "What's the Most Secure Way to Lock Your Smartphone?". Gizmodo. 26 July 2017. Retrieved 2020-10-29.
  25. ^ a b Ali, Adnan; Rafique, Hamaad; Arshad, Talha; Alqarni, Mohammed A.; Chauhdary, Sajjad Hussain; Bashir, Ali Kashif (2019-02-07). "A Fractal-Based Authentication Technique Using Sierpinski Triangles in Smart Devices". Sensors. 19 (3): 678. Bibcode:2019Senso..19..678A. doi:10.3390/s19030678. ISSN 1424-8220. PMC 6387263. PMID 30736448.
  26. ^ Yu, Xingjie; Wang, Zhan; Li, Yingjiu; Li, Liang; Zhu, Wen Tao; Song, Li (November 2017). "EvoPass: Evolvable graphical password against shoulder-surfing attacks". Computers & Security. 70: 179–198. doi:10.1016/j.cose.2017.05.006. ISSN 0167-4048. S2CID 5566753.
  27. ^ "InvisibleShield - The #1 Selling Impact & Scratch Protection". Retrieved 2021-01-12.
  28. ^ a b "Hackers Can Steal Your Password via Your Smartphone's Screen Smudges. The Smudge-Resistant DTEK50 Helps Prevent That". Retrieved 2020-12-05.
  29. ^ Brookes, Tim. "How to Protect and Restore Your Smartphone's Oleophobic Coating". How-To Geek. Retrieved 2020-12-07.
  30. ^ "BlackBerry DTEK50 - Full phone specifications". Retrieved 2020-12-05.
  31. ^ "Giz Bill Nye Explains: The iPhone 3GS's Oleophobic Screen". Gizmodo. 24 June 2009. Retrieved 2020-12-07.
  32. ^ "Cleaning your iPhone". Apple Support. Retrieved 2020-12-07.
  33. ^ "HTC Hero - Full phone specifications". Retrieved 2020-12-07.
  34. ^ "How Biometrics Works". HowStuffWorks. 2005-11-11. Retrieved 2020-12-31.
  35. ^ a b c Alzubaidi, Abdulaziz; Kalita, Jugal (2016). "Authentication of Smartphone Users Using Behavioral Biometrics". IEEE Communications Surveys & Tutorials. 18 (3): 1998–2026. arXiv:1911.04104. doi:10.1109/comst.2016.2537748. ISSN 1553-877X. S2CID 8443300.
  36. ^ a b Ferrag, Mohamed Amine; Maglaras, Leandros; Derhab, Abdelouahid; Janicke, Helge (2019-09-13). "Authentication schemes for smart mobile devices: threat models, countermeasures, and open research issues". Telecommunication Systems. 73 (2): 317–348. arXiv:1803.10281. doi:10.1007/s11235-019-00612-5. ISSN 1018-4864. S2CID 4407928.
  37. ^ Khan, Hassan; Hengartner, Urs; Vogel, Daniel (2020-02-12). "Mimicry Attacks on Smartphone Keystroke Authentication". ACM Transactions on Privacy and Security. 23 (1): 1–34. doi:10.1145/3372420. ISSN 2471-2566. S2CID 211041059.
  38. ^ a b Jain, Anil K.; Nandakumar, Karthik; Nagar, Abhishek (2013), "Fingerprint Template Protection: From Theory to Practice", Security and Privacy in Biometrics, London: Springer London, pp. 187–214, doi:10.1007/978-1-4471-5230-9_8, ISBN 978-1-4471-5229-3, retrieved 2020-11-25
  39. ^ a b Serwadda, Abdul; Phoha, Vir V.; Wang, Zibo; Kumar, Rajesh; Shukla, Diksha (2016-05-06). "Toward Robotic Robbery on the Touch Screen". ACM Transactions on Information and System Security. 18 (4): 1–25. doi:10.1145/2898353. ISSN 1094-9224. S2CID 2800266.
  40. ^ Shen, Chao; Zhang, Yong; Guan, Xiaohong; Maxion, Roy A. (March 2016). "Performance Analysis of Touch-Interaction Behavior for Active Smartphone Authentication". IEEE Transactions on Information Forensics and Security. 11 (3): 498–513. doi:10.1109/TIFS.2015.2503258. ISSN 1556-6013. S2CID 10783876.
  41. ^ Shahzad, Muhammad; Liu, Alex X.; Samuel, Arjmand (2017-10-01). "Behavior Based Human Authentication on Touch Screen Devices Using Gestures and Signatures". IEEE Transactions on Mobile Computing. 16 (10): 2726–2741. doi:10.1109/TMC.2016.2635643. ISSN 1536-1233. S2CID 38908203.
  42. ^ a b Meriem Guerar; Alessio Merlo; Mauro Migliardi (2017-06-30). "ClickPattern: A Pattern Lock System Resilient to Smudge and Side-channel Attacks". Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications. 8 (2): 64–78. doi:10.22667/JOWUA.2017.06.31.064.
  43. ^ a b Song, Yunpeng; Cai, Zhongmin; Zhang, Zhi-Li (May 2017). "Multi-touch Authentication Using Hand Geometry and Behavioral Information". 2017 IEEE Symposium on Security and Privacy (SP). IEEE. pp. 357–372. doi:10.1109/sp.2017.54. ISBN 978-1-5090-5533-3. S2CID 6334061.
  44. ^ Maqsood, Sana; Chiasson, Sonia; Girouard, Audrey (2016-08-01). "Bend Passwords: using gestures to authenticate on flexible devices". Personal and Ubiquitous Computing. 20 (4): 573–600. doi:10.1007/s00779-016-0928-6. ISSN 1617-4917. S2CID 15617366.
  45. ^ "LG ANDROID KNOCK ON & KNOCK CODE | LG USA Support". LG USA. Retrieved 2020-11-07.