On the Security and Usability Implications of Providing Multiple Authentication Choices on Smartphones

Abstract

The latest smartphones have started providing multiple authentication options including PINs, patterns, and passwords (knowledge based), as well as face, fingerprint, iris, and voice identification (biometric-based). In this article, we conducted two user studies to investigate how the convenience and security of unlocking phones are influenced by the provision of multiple authentication options. In a task-based user study with 52 participants, we analyze how participants choose an option to unlock their smartphone in daily life. The user study results demonstrate that providing multiple biometric-based authentication choices does not really influence convenience, because fingerprint had monopolistic dominance in the usage of unlock methods (111 of a total of 115 unlock trials that used a biometric-based authentication factor) due to users’ habitual behavior and fastness in unlocking phones. However, convenience was influenced by the provision of both knowledge-based and biometric-based authentication categories, as biometric-based authentication options were used in combination with knowledge-based authentication options—pattern was another frequently used unlock method. Our findings were confirmed and generalized through a follow-up survey with 327 participants. First, knowledge-based and biometric-based authentication options are used interchangeably. Second, providing multiple authentication options for knowledge-based authentication may influence convenience—both PINs (55.7%) and patterns (39.2%) are quite evenly used. Last, in contrast to knowledge-based authentication, providing multiple authentication choices for biometric-based authentication has less influence on choosing unlock options—fingerprint scanner is the most frequently used option (134 of 187 unlock methods used among biometric-based authentication options).