Biometrics vs. Pins vs. Passwords: Which Way Is More Secure for Locking Your Android Phone?
It's safe to say that Android users need to be careful when they're online. In theory, before developers publish applications on Google Play, their creations must be checked for malware. Despite this, it looks like smuggling some malicious code on Android's official app store isn't actually that difficult. There is, of course, the question of updates as well. For a variety of complicated reasons, the Android ecosystem makes pushing system updates an enormous hassle. As a result, millions of people share sensitive information and do their online banking on devices that are running woefully outdated software.
All in all, online security is a problem for Android users. But what about physical security? What happens if someone tries to use your smartphone when you're not looking?
When it comes to locking an Android device, you are somewhat spoilt for choice, and you might be wondering which of the options you should choose. Let's take a look at the mechanisms and try to find out.
Table of Contents
Biometrics – real security or a gimmick?
What was once proprietary to spy novels and movies is now an everyday reality. Using body parts to prove that we are who we say we are is becoming more and more common. Android Pie, the mobile operating system's latest version, even comes with native support for retina scanners, though it must be said that this particular type of authentication is yet to infiltrate the market on any sort of meaningful scale.
Fingerprint readers and face recognition software are the common options right now, and when it comes to user-friendliness, you'll be hard-pressed to find anything more straightforward to use. Indeed, dirty fingers or peculiar lightning conditions could sometimes slow biometric authentication down, but overall, at the moment, we don't have anything that's nearly as fast or convenient.
From a security standpoint, however, it does raise some concerns. In all likelihood, the objects that surround you at the moment, for example, are covered in your fingerprints. If an attacker knows what they're doing, collecting, replicating, and abusing them is not difficult at all.
Facial recognition is arguably even more problematic. Although more and more devices come with this functionality, the technology is still relatively new and not completely reliable. In some cases, the software uses an infrared camera to get a detailed scan of your face and figure out if all the features are where they are supposed to be. In others, however, the technology is much less sophisticated and can be fooled by a simple photograph.
The upshot is, before you set up biometric authentication on your phone, you could do worse than read through some technical specifications in order to figure out what sort of technology the vendor has used. It will give you a much better idea of how secure the system is, and if you decide that you don't like what you see, you can always go for a more old-school alternative.
Passwords – the traditional choice
Your computer is most likely protected by a password. Why not use a password to lock your phone as well? Let's see what the advantages are.
A password could be a very secure way of protecting data. Because of this reason, we have passwords for everything nowadays. Bear in mind, however, that not all passwords are good. If, for example, you use your name or a simple combination like "qwerty", an attacker will be able to break in in a jiffy.
If you're going to use a password to lock your phone, make it long and fill it with a random selection of different characters. This is the only way to ensure that any attempts to tamper with your data are stifled. Sadly, as is often the case, it's easier said than done.
It's common knowledge that the stronger the password, the more difficult it is to remember it. Indeed, memorizing the password that unlocks your phone should be a top priority because, by default, modern Android devices don't give you the option of resetting it. There's a usability issue as well.
Even with a full-size keyboard, typing a strong password could be a hassle sometimes. And as we all know, when you're on your phone, you rarely have the convenience of a full-size keyboard. The tiny buttons and the need to switch between different layouts in order to type special characters could turn the simple task of entering a password into a painfully slow and frustrating experience. As a result, many people decide not to bother at all.
PINs and patterns – a simpler alternative
PIN (or Personal Identification Number) seems like a good alternative to the password. Since it consists of digits only, remembering it is much easier, and when you're entering it, you're presented with far fewer buttons meaning that fat-fingering the code is much less likely.
From a usability standpoint, a PIN is a much more compelling proposition, but as you might have guessed already, there is a rather huge downside when it comes to security. Here's how big it is exactly.
If your PIN is six-digits long, an attacker would need to go through around 1 million combinations to crack it, and if you're Kanye West, they would need far fewer.
If, on the other hand, you have a password that's six characters long but consists of upper- and lower-case letters, numbers and special characters, the hackers are looking at around 690 billion possible combinations. Shoulder surfing is also easier with numeric PINs.
Speaking of shoulder surfing, people continue to use the grid pattern, an unlocking mechanism that's not available on other mobile operating systems. For many of you, memorizing a pattern is much easier than memorizing a PIN, and thanks to muscle memory, you learn to draw the correct pattern quickly and with one finger only.
Sadly, the fact that you can remember it easily means that the person sitting behind you can do it as well. Even if you are constantly aware of your surroundings, the smudges your fingers leave on the screen can give your pattern away.
Which locking mechanism should you choose?
Neither Android nor any other operating system can give you a perfect authentication mechanism. If you choose a good password, for example, you will need to accept the fact that every time you want to unlock your phone, you will need to enter a long, complicated string of characters. In much the same way, if you go for the convenience of fingerprint authentication, you'll need to accept the risks associated with it.
The thing that you really need to think about, however, is your own position in this complex landscape. Can you remember another long, complicated password, or are you better off relying on a simpler PIN? What would hackers gain if they take your phone and unlock it? Is the potential loot enough to motivate them to fool the fingerprint reader or face recognition software? Do you feel comfortable having your biometric data handled by a device that runs Google's software?
Once you answer all these (and a few more) questions, you will see which locking mechanism is the right one for you.
