On the Impact of Touch ID on iPhone Passcodes Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, Konstantin Beznosov UniversityofBritishColumbia,Vancouver,Canada {icherapau,ildarm,nalin,beznosov}@ece.ubc.ca ABSTRACT and laptops. This results in sensitive and confidential data being storedandaccessedonsmartphones. Highmobilityandsmallsize Smartphonestodaystorelargeamountsofdatathatcanbeconfi- ofsmartphonesalterthecommonthreatmodelweusedfordesktop dential, privateorsensitive. Toprotectsuchdata, allmobileOSs andlaptopsdevices. Inparticular,itismucheasiertostealsmart- haveaphonelockmechanism,amechanismthatrequiresuserau- phonesduetotheirsize,andthentoaccessdata-at-rest[29]. thenticationbeforegrantingaccesstoapplicationsanddataonthe AdoptedbyallmobileOSdevelopers,thestateoftheartinpro- phone. iPhone’sunlockingsecret(a.k.a.,passcodeinApple’ster- tectingdata-at-restistoencryptit. Inordertoavoidtheproblem minology)isalsousedtoderiveakeyforencryptingdataonthe ofstoringanencryptionkeytogetherwiththeencrypteddata,the device. Recently, Apple has introduced Touch ID, that allows a keyencryptionkeyiscommonlyderivedfromthesecretusedfor fingerprint-basedauthenticationtobeusedforunlockinganiPhone. unlockingthedevice.Unfortunately,usersemployweakunlocking Theintuitionbehindthetechnologywasthatitsusabilitywouldal- secrets(a.k.a.,“passcodes”inApple’sterminology),mainlydueto lowuserstousestrongerpasscodesforlockingtheiriOSdevices, usability-relatedconsiderations[32].Beingmostcommonunlock- without substantially sacrificing usability. To this date, it is un- ing secretes, personal identification numbers (PINs) are not only clear,however,ifuserstakeadvantageofTouchIDtechnologyand susceptibletoshouldersurfingattacks,butcanalsobeeasilybrute- ifthey,indeed,employstrongerpasscodes.Itisthemainobjective forced [34]. At the same time, PINs are considered unusable by andthecontributionofthispapertofillthisknowledgegap. more than 20% of smartphone users [32]. In particular, usability Inordertoanswerthisquestion,weconductedthreeuserstudies issues pushed these users to disable smartphone lock completely, (a)anin-personsurveywith90participants,(b)interviewswith21 whichleaveshundredsofmillionsofsuchusersunprotected[31]. participants,and(c)anonlinesurveywith374AmazonMechani- Severaldevicemanufactures,suchasAppleandSamsung,have calTurks. Overall, wefoundthatusersdonottakeanadvantage recentlyintroducedbiometricauthenticationforunlockingsmart- ofTouchIDanduseweakunlockingsecrets,mainly4-digitPINs, phones. Asacaseinpoint,withthereleaseofiPhone5Sin2013, similarlytothoseuserswhodonotuseTouchID.Tooursurprise, Applehasintroducedafingerprintsensorintegratedintothe“home wefoundthatmorethan30%oftheparticipantsineachgroupdid button”.BrandedasTouchID,thesensorauthenticatesauser,once not know that they could use passwords instead of 4-digit PINs. she touches the button. As stated in the iOS security white pa- Some other participants indicated that they adopted PINs due to per [4], the key advantage of Touch ID is that it “makes using a betterusability, incomparisontopasswords. Mostofthepartici- longer, morecomplexpassword farmore practicalbecause users pantsagreedthatTouchID,indeed,offersusabilitybenefits,such won’t have to enter it as frequently” and “the stronger the user asconvenience,speedandeaseofuse.Finally,wefoundthatthere password is, the stronger the encryption key becomes. Touch ID isadisconnectbetweenusers’desiresforsecuritythattheirpass- canbeusedtoenhancethisequationbyenablingtheusertoestab- codeshavetoofferandthereality. Inparticular,only12%ofpar- lishamuchstrongerpasswordthanwouldotherwisebepractical.” ticipantscorrectlyestimatedthesecuritytheirpasscodesprovide. Theseclaimsappeartobebasedontheassumptionthattheus- abilityofapasswordlargelydependsonthefrequencyofitsusage 1. INTRODUCTION and that users will use stronger passwords, as a result of the de- Smartphoneshavebecomeourprimarydevicesforaccessingdata creaseinusagefrequency. Recentresearch,however,castsdoubts and applications. With more than a billion smartphones sold in onthisassumption.Inparticular,severalfindingssuggestthatusers 2014andmorethan2billionactivesubscribers,globalsmartphone tendtocreatelow-entropypasswords,regardlessofhowfrequently userbaseisexpectedtogrowto5.6billionby2019[15]. Smart- theyhavetoinputthem[8,18,35]. Thus,itisunclearifandhow phones are already used for online banking, accessing corporate Touch ID impacts the choice of users’ passcodes. It is the main data, operations that used to be only in the domain of desktops focusandthecontributionofthispapertofillthisknowledgegap. InordertounderstandtheimpactofTouchIDsensoronusers’ passcode selection, we focused on testing our main hypothesis (Halt)–“Thereisadifferenceinpasscodeentropybetweenthose 1 whouseTouchIDandthosewhodonot.”Forassessingpasscode’s strength, we used zero-order entropy, which estimates the search spaceofasecret,assumingthateachcharacterischosenrandomly Copyrightisheldbytheauthor/owner. Permissiontomakedigitalorhard andindependently.Zero-orderentropyservedthepurposeofcom- copiesofallorpartofthisworkforpersonalorclassroomuseisgranted paringthestrengthoftwopasscodegroups,withouthavingaccess withoutfee. to actual passcodes. The results of our study revealed that even SymposiumonUsablePrivacyandSecurity(SOUPS)2015, July22–24, 2015,Ottawa,Canada. 1 USENIX Association 2015 Symposium on Usable Privacy and Security 257 withzero-orderentropy, whichoverestimatedtherealcomplexity 2. BACKGROUND ofpasscodes,thestrengthoftheparticipants’passcodeswassuch Webeginthissectionwithadescriptionofapracticalbrute-force thatmadebrute-forceattackspractical.Forbrevity,throughoutthis attack on iOS device passcode. Then, we explain how Touch ID paperwerefertozero-orderentropyas“entropy”. works.Weconcludebydescribingzero-orderentropy. To test Halt, we performed three user studies. First, we con- 1 ducted an in-person survey with 90 iPhone owners in shopping 2.1 DataProtectionandBrute-forceAttack mallsandotherpublicplacesinVancouver,Canada. Weoptedfor Toprotectdataconfidentiality,iOSencryptseachfilewithaunique anin-personsurveyinordertoverifyaccuratelytheself-reported per-filekey. Per-filekeyisthenencryptedwithoneoffourclass data,suchasthepasscodelengthandthemethodofthephoneun- keys.Eachofthefourclasskeysisavailableduringvariouscontex- locking.Resultsofthesurveydidnotrevealstatisticallysignificant tualsettings,e.g.,onthefirstunlockafterbooting.Theseclasskeys difference in the passcode entropies between those who did and areprotectedwithacombinationoftheuser’spasscodeandthede- whodidn’tuseTouchID.Furthermore,the95%confidenceinter- vicekey,auniqueper-devicekeyembeddedinthecrypto-chip. In valsuggestedthatif,hypothetically,therewereadifference,then ordertoextractthisdevicekey,anadversarycanattempttoreverse itsabsolutevaluecouldnotbelargerthan3.35bits. engineer the crypto chip, which is an expensive task in terms of Inordertounderstandwhyusersarenotadoptingstrongerpass- timeandresourcesrequired.Analternativeoptionforanadversary wordswhenTouchIDisavailable,wefollowedupwithaninter- wouldbetomountanon-deviceguessingattackonthepasscode. viewstudyof21participants. Itsresultsledustoidentifypossible Anadversaryusesthecrypto-chipdirectlyinanon-deviceattack, reasonsforuserstostickwith4-digitPINs. Finally,tocorroborate inordertotrypasscodecandidatesandeventuallytodecryptclass findingsofthefirsttwostudies,weconductedanonlinesurveywith keys.Todecreasetheeffectivenessofsuchattacks,thecrypto-chip 374AmazonMechanicalTurks. Overall,weconfirmedstatistical in iPhones and iPads is calibrated to take at least 80 ms for each resultsofthefirststudyandmeasuredprevalenceofreasonsforus- passcodeattempt. ing4-digitPINs. Inparticular,morethan30%oftheparticipants Inordertomountanon-deviceattack,anadversaryneedstorun wereunawarethatpasswordsareavailableoniPhones,around35% arbitrarycodeonthetargetdevice. Thiscanbeachievedbycom- oftheparticipantspreferredPINs,astheyareeasiertoremember, promising the boot-chain [1], which would allow bypassing iOS andmorethanhalfoftheparticipantsusedPINsbecausetheyare kernel’s limitation on the number of available passcode guessing easiertouse(e.g.,fastertotype). Inaddition,wenarroweddown attempts[42].Forexample,thecurrentversionofiOS(8.3),ifcon- the95%confidenceintervalforatheoreticaldifferenceinpasscode figuredso,wouldlimitthenumberofguessesto10,andwipeout entropiesbetweenthetwogroupsdownto1.91bits. thedeviceafterwords. Ittakessometime,effort,andlucktofind anexploitablebugintheboot-chain. Whilenoflawsareknownin Overallthispapermakesthefollowingcontributions: thecurrentiOS,suchflawshavebeenfoundinearlierversions. Wequestionthevalidityoftheassumptionthatsuchphone Tosummarize,duetothefeasibilityofon-deviceunlimitedguess- • unlocking methods as Touch ID would nudge users to use ingattacks,theprotectionofthedata-at-restoniOSdevicescould higher-entropy passcodes. We did not find any significant anydayenduphingingonthesecurityoftheirpasscodes. differenceinpasscodestrengthsbetweenthetwogroups.Fur- 2.2 TouchID thermore,the95%confidenceintervalforthedifferencesin mean entropy shows that even if there were a statistically TouchIDisabiometricauthenticationsensorbasedonahighdefi- significantdifference,itwouldnotbegreaterthan1.91bits. nitionfingerprintscannerembeddedinto“homebutton”oniPhones Inthelightofobservedaverageentropy(approximately16 andiPads.Thissensorallowsuserstounlocktheirdevicesbysim- bits),suchadifferencewouldresultinpasscodesof18bits plytouchingthehomebutton.AlthoughTouchIDallowstounlock of entropy, translating to about 4.5 hours of extra work for adevicewithouttypinginapasscode,usersarestillrequiredtoset an adversary performing an on-device brute-force guessing passcodesontheirdevices,beforebeingabletouseTouchID.The attackonaniPhone[4]. main reason for such a strict requirement lays in data-at-rest en- cryption,whichneedsasourceofentropythatisnotstoredonthe We investigate why Touch ID has not resulted in stronger deviceitself.User’sdeviceunlockingsecretservesthispurpose. • passcodes.Inparticular,wefindthatmorethan30%ofusers Apasscodecanbeeither(1)asimple4-digitPIN1or(2)alonger donotknowthattheycanusepasswords,ratherthanPINs. one,withupto37charactersselectedfromthealphabetof77sym- OthersusePINsduetotheusabilitybenefitsoverpasswords, bols,towhichwereferinthispaperas“password”. Theusercan e.g.,easytorememberorfastertotype. chosetosetupeitheraPINorapasswordasherunlockingsecret. We use term “passcode” as a general reference for an unlocking Finally, wefindasignificantmismatchbetweenthedesires secret,unlesswewanttodistinguishbetweenPINsandpasswords. • forprotectionthemajorityofiPhoneownersreportandthe WhenadevicewithTouchIDenabledboots,itpromptstheuser actualstrengthoftheirpasscodes. Inparticular, theprefer- toprovidethecorrectpasscode.Atthisstage,theinternalmemory encesofonly12%ofparticipantsmatchedtheprovidedlevel of Touch ID is clear, i.e., immediately after reboot users are not ofprotection,whileotherspreferredsignificantlyhigherpro- able to use Touch ID sensor. Once the user provides the correct tection. Forinstance,48%desiredtheirpasscodestoprotect passcode, the iOS is able to recover actual data encryption keys thedataformorethan40years,whichisfarfromreality. andusesthemtodecryptandencryptdata. Ifthedeviceislocked, OSerasescertaintypesofkeysfromRAM,whichwillrequireei- Therestofthepaperisorganizedasfollows. Wefirstprovide therthecorrectpasscodeorsuccessfulunlockingwithTouchID, background and discuss related work in Sections 2 and 3. Next, inordertorecoverthesekeysonunlock. Theunlockingflowwith wepresentourresearchquestionandourapproachatansweringit TouchIDenabledisshowninFigure1. in Section 4. Then we describe our studies: in-person survey in WhenauserlocksthedevicethathasTouchIDenabled,iPhone’s Section5,interviewsinSection6,andMTurksurveyinSection7. WediscussresultsinSection8andconcludeinSection9. 1Applesecuritywhitepaperdefinesitasa“simplepasscode”. 2 258 2015 Symposium on Usable Privacy and Security USENIX Association 13.28 bits. That is, zero-order entropy measures the size of the wholesearchspaceofallpossiblesecretsofagivenlengthandthe sizeofagivenalphabet,withtheassumptionthateachcharacteris selectedrandomlyandindependentlyfromallothercharacters. Ofcourse,zero-orderentropy,asametric,suffersfromseveral limitations, whenit’sappliedtohuman-chosensecrets, likepass- wordsandPINs. Themostimportantoneisthatitdoesnotmea- surethesecretstrengthaccurately. Recentresearchhasshownthat userstendtoselecthighlypredictablepasswordsandoftenusedic- tionarywordsasones[9,17].Suchpredictabilitymakesthesearch spacesmaller,i.e.,theworkofanattackereasier.Thisimpliesthat thezero-orderentropymeasurestheupperboundoftheattacker’s Figure1: UnlockingflowwithTouchIDenabled. Whentheuser work.Inotherwords,itoverestimatestheactualwork. locksthedevice, theclassencryptionkeysarewrappedbyaran- dom temporary encryption key (TEK). To unlock the device, the 3. RELATEDWORK userhastwooptions,shecaneither(1)typeinherpasscode,or(2) use Touch ID. When the user uses Touch ID, it authenticates the Authenticationmechanismshavebeenstudiedextensivelyformany userbymatchingherfingerprintwithsavedfingerprints(3). Ifthe years[8,26],however,text-basedpasswordsremainthemostcom- authenticationissuccessful,thesensorreleasestheTEKtotheSe- monly used authentication mechanism and the security’s weakest cureEnclave(4),whichallowsdecryptingclasskeysandsending link[9, 22, 27]. FlorencioandHerley[17]conductedastudyon themtothecrypto-chip(7).If,theuserfailstoauthenticateforfive webpassworduseandreusewithhalfamillionusersoverathree timeswithTouchID,ordoesnotunlockdevicefor48hours, the months period. Their results suggest that web users employ and TouchIDsensorflushestheTEK,whichleavestypinginthepass- re-use low-entropy passwords on websites. Weir et al. [40] ana- codeastheonlyoptionforunlockingthedevice. WithoutTouch lyzedasetofleakedpasswords. Theauthorsshowedthatpopular ID,theusertypesherpasscode(1),whichissenttotheSecureEn- passwordswerealsoweakand“123456”wasverycommonamong clave(5). Thecombinationofthedevicekey(6)andpassword(5) users. Topreventusersfromchoosingpasswordsthataretooeasy areusedtodecryptclasskeysandsendthemtothecrypto-chip(7). foranattackertoguess,systemadministratorsoftenenforcepass- wordcompositionpolicies[27]. Suchapolicymightrequireusers touseapasswordthatcontainsnon-alphanumericsymbols,lower anduppercaseletters,andnumbers. Usingapasswordpolicythat CPUgeneratesarandomtemporaryencryptionkey(TEK),which istoostrict,however,mightbackfireandpushuserstowritedown protects certain class keys by “wrapping” them (a cryptographic passwordsorstorethemonsomeotherdevices[27]. operationsomewhatsimilartoencryption). ItthensendstheTEK Tworecentstudiesexaminedsmartphonelockingbehavioursus- to Touch ID and deletes class keys from RAM. After that, there ingconventionalauthenticationmechanisms. Harbachetal. found aretwooptionsfortheiOStorecoverthewrappedclasskeys(1) that users activate their phones 85 times and unlock their phones receivetheTEKfromTouchIDoncetheusersuccessfullyauthenti- 50timesperdayonaverageandthatmostofusersdidnotseeany catestothesensor,or(2)receivethecorrectpasscodefromtheuser, threattothedataontheirphones[21]. Egelmanetal. alsofound then derive the correctencryption key from a combination of the a strong correlation between locking behaviours and risk percep- passcodeandthedevicekey,andthen“unwrap”classkeys. When tions, but the authors believe that users underestimate actual the theusertouchestheTouchIDsensor,thesensortriestoauthenti- risks[14].Incontrast,wefocusedonstudyingtheeffectthatTouch catetheuserbasedonthefingerprint.Iftheauthenticationattempt ID makes on users unlocking password selection and the reasons is successful, the sensor releases the TEK to the Secure Enclave, forsuchaneffect. whichislocatedintheCPU.If,however,theuserfailstoauthen- Biometrics-basedauthenticationmodalityhasalsoreceivedcon- ticate with the fingerprint for five times, or has not unlocked the siderableattentionfromtheresearchcommunityinrecentyears[2, devicefor48hours,theTouchIDsensorflushestheTEK,which 30,38].Althoughusabilityofabiometricsystemisstillanimpor- leavespasscodeastheonlyoptionforunlockinganiPhone. tantfactorinadoption[33,37],suchauthenticationmethodscould WedecidedtofocusonTouchID,becauseitisdeployedonan potentially remedy common drawbacks of text-based passwords. existingandpopularmobileplatform,adoptedbymillionsofusers Forexample,usersdonotneedtorememberanything[7]. Indeed, worldwide. WedidnotstudyAndroidfingerprintandfacerecog- recentstudiesshowedthattheusabilityofbiometric-basedphone nitionbecausetheformerisanewtechnologythatfirstappearedin unlockingisimportantforusers[13]. CrawfordandRenaud[12], April2014[20]andthelatterhasnotbecomewidelyadoptedby however, have showed that users are willing to try biometric au- theusers,probablyduetousability[7]andsecurityissues[16]. thenticationmainlyforitsusabilitybenefits.Inaddition,Breitinger 2.3 Zero-orderEntropy et al. [10] suggest that 87% of users are in favour of fingerprint authentication. Others have found that the presence of a biomet- Thestrengthofanauthenticationsecretisdefinedbytheeffortan ric factor in a two-factor authentication system can lead users to attackerneedstospendonguessingit. Insimpleterms,thiseffort picking weaker credentials, in comparison with a password-only is assumed to be proportional to the size of the search space the authentication system [41]. In contrast, we focus on how Touch attackerneedstocheckinordertofindthesecret.Onesuchmetric IDimpactsusers’choiceofiPhonepasscodesinasingle-factorau- iszero-orderentropy,measuredinbitsandcalculatedas thenticationsystem. L log N Indeed, there are many reasons to use fingerprint for authenti- 2 ∗ cation. To start with, it is unique to each individual, and it is al- whereListhelengthofthepasswordandN isthecharacterset mostimpossibletofindtwopeoplewithanidenticalfingerprintpat- size. For example, the length of iPhone’s PIN in iOS 8.3 is four tern[4].Individuals’fingerprintpatternsneverchangeduringtheir and the character set size is 10, hence, its zero-order entropy is lifespan[39]. Fingerprintsensorcanimprovethesecurityandthe 3 USENIX Association 2015 Symposium on Usable Privacy and Security 259 convenienceforusers, ifusedinsmartphones[19], becausethere weconductedthethirdstudyinaformofanonlinesurvey. This are many limitations of smartphones’ screens and keyboards [19, studygaveusalargeranddiversesubjectpoolfortestingoursetof 25] that make password-based authentication/unlocking undesir- hypothesesandprovideddescriptivestatisticsonreasonsforusing able. For instance, text entry on constrained keyboards is prone weakpasscodes. to errors, time-consuming and frustrating. In particular, Lee and Inthefirstandthirdstudies,wechosezero-orderentropyfores- Zhai showed that error rate for typing on virtual keyboards, i.e., timatingthestrengthofparticipants’passcodes,eventhoughithas keyboardsdrawnonascreen,is8%higherthanonhardwarekey- limitations, as discussed in Section 2.3. There were several rea- boardsfordesktops[28]. Inaddition,Baoetal.[6]foundthatthe sonsforthischoice.First,evaluationofthepasscode’sguessability averagetypingspeedforan8-characteralphanumericpasswordon would require access to plaintext passcodes, which we chose not mobiledevicesisthreetimesslowerthanondesktopcomputers. to obtain for ethical considerations. Second, zero-order entropy Finally,recentresearchsuggeststhatuserstendtouseweak4- servedwellthepurposeofourstudyincomparisonoftwogroups, digitPINsoveralphanumericpasswordsinsmartphones[24,32]. i.e.,withandwithoutTouchID,intermsofworktheattackerneeds UsersjustifysuchchoicebyeaseofuseofPINs,incomparisonto todo.Finally,theresultsofourstudyshowedthatevenifweover- passwords,especiallyincaseswhenonehastounlocktheirdevice estimatedthepasscodesstrength,theactualworkloadforabrute- withhighfrequencyforday-to-dayactivities[31]. Unfortunately, forcingattackerisstillpractical. it is clear today that a 4-digit PIN provides virtually no security We obtained ethics approval from our university’s behavioural for data-at-rest [4, 36]. To make the matter worse, even within researchethicsboardforallthreestudies. the search space of 4-digit PINs, users make highly predictable choices. For example, Amitay [3]analyzed over200,000 iPhone 5. STUDYI:IN-PERSONSURVEY PINs and discovered that “1234” is the most common PIN, fol- lowedby“0000”and“2580”. Consideringthesoftwarelimitation 5.1 Methodology onthenumberofallowedunlockingattempts(i.e.,10attemptsin In our first study, we chose to use an in-person survey of iPhone iOS)throughtheuserinterface,onecantrythetop10PINsandstill usersforseveralreasons.Firstandforemost,thischoiceallowedus achieve15%successratewithouttheneedtogoforanon-device toverifyanswersrelatedtoparticipants’unlockingbehaviourand brute-forceattack.2 Thatis,oneinseveniPhonescanbeunlocked theauthenticationsecretbeingused. Inaddition,anin-personna- byjusttryingthetop10PINs. Itseemsthatthemainintuitionbe- tureofthestudyallowedustofollow-upunforeseenanswerswith hindthedesignofTouchIDwastoreducethenumberoftimesthe additional questions. We strived to recruit a pool of diverse par- usermusttypeherauthenticationsecrettounlockthedevice[4]. ticipants,henceweapproachedpeopleinpubliclocations,suchas Bhagavatula et al. found that most Touch ID users perceive it as shoppingmallsandcoffeeshops.Eachparticipantsignedaconsent moreusableandsecurethanaPIN[7]. Tothebestofourknowl- formandreceived$10asacompensationforparticipation. edge,wearethefirsttoassesswhetheruserstakeanadvantageof TouchIDbyusingstrongerpasscodes. 5.1.1 StudyDesign Tofacilitatefasterdatacollectioninpubliclocationswithlimited 4. METHODOLOGYOVERVIEW andunreliableaccesstotheInternet,weusedaniPadwithourown Themainresearchquestion(RQM)ofourstudywas“Howavail- surveyapp. AllanswerswerestoredlocallyontheiPad, andfor ability of Touch ID sensor impacts users’ selection of unlocking some of the questions we also validated participants’ answers by authenticationsecrets”. Toanswerthisresearchquestion,wehave asking participants to show us some elements of their unlocking formulatedthefollowinghypothesestobetested: processandotherrelevantdata.Inparticular,wevalidatedthetype oftheunlockingmethodused,byaskingthemtoshowthelocked Hnull–UseofTouchIDhasnoeffectontheentropyofpass- screen.Wealsovalidatedthelengthofthepassword(forthosewho • co1desusedforiPhonelocking. usedit)byaskingparticipantstoshowustheunlockingscreenafter thepasswordhasbeentypedbutbeforetheyclickedontheenter Halt–UseofTouchIDaffectstheentropyofpasscodesused button. This allowed us to validate their answer about the pass- • 1 foriPhonelocking. wordlengthbyourresearchercountingthenumberofstarsinthe passwordfield. Inaddition,participantswereaskedtonavigateto • H2null – Availability of Touch ID has no effect on ratio of thesettingsoftheauto-lockscreenontheiriPhonesandshowus userswholocktheiriPhones. thevalueoftheauto-locktimeout. Finally,byaskingeachpartic- ipantwhoclaimedtouseTouchIDtounlocktheirdevicewitha Halt –AvailabilityofTouchIDincreasestheratioofusers • 2 fingerprint,wewereabletoconfirmthatthey,indeed,usedit. wholocktheiriPhones. Most of the survey questions were either open-ended or con- tainedoption“other”, whichallowedparticipantstoprovidetheir Weconductedthreeuserstudies,startingwithastudybasedon ownanswerifneeded. ThequestionnaireguideisprovidedinAp- in-personsurveys.Thisstudyallowedustotestourhypotheses.In pendixA.1andconsistsofthefollowingparts: addition,itallowedustoclarifyareaswiththelackofunderstand- ing and refine our follow-up studies. We followed the first study Part1 Demographic questions (e.g., age, gender, education, in- withaninterviews, inordertogaindeeperinsightsintopasscode come,occupation). selectionbyusers.Inparticular,wefocusedonunderstandingwhy usersdonottakeadvantageofTouchID,i.e.,understandingusers’ Part2 Security and privacy concerns related questions, e.g., we reasoning for not adopting stronger passcodes when Touch ID is askedparticipantsiftheyhadanysensitive,privateorvalu- available. Finally,tocorroborateourdatafromthefirststudyand ableinformationontheiriPhones. tomeasuretheprevalenceofthereasonsforusingweakpasscodes, Part3 Questions on the experience participants had so far with 2Thisisasimplerapproachthatdoesnotrequireexecutionofarbi- their smartphones, including if they locked their previous trarycodeonthedevice. smartphones. 4 260 2015 Symposium on Usable Privacy and Security USENIX Association Outof90participants,30werefemale.Theminimumandmax- imum age was 19 and 71 years, and the average age was M = 29(SD =12). Amongallparticipants, 41usedTouchIDsensor and49didnot. Themajorityofourparticipantswasexperienced iPhoneusers,i.e.,theyownedaniPhoneformorethantwoyears. Only12participantsownediPhonesforlessthanayear. Almost alloftheparticipants(81)hadownedanothersmartphonebefore thecurrentone. Mostofourparticipants(69)statedthattheyun- locktheiriPhonesatleastonceperhour.Inaddition,wefoundthat 32 participants had lost their smartphones before, and 15 partici- pantswerevictimsofsmartphonetheft. Onaverage, participants completedsurveyinaround5.5minutes(SD=2minutes)innon- Figure2:PasscodestructurequestioninStudyI. Touch ID group, and in around 7 minutes (SD = 3 minutes) in Touch ID group. Demographics summary is provided in Table 2 (column“StudyI”). Part4 Passcodemetricsquestions. Inthispart,weaskedpartici- ReasonsToLockOrNotTo. Overalltheparticipantsusevar- pantstoprovideusastructureoftheirunlockingpasscodes. iousreasonsforlockingornotlockingtheiriPhones. Someofthe In order to preserve confidentiality of their passcodes, we reasons were driven by a possible attacker, e.g., 58 participants askedparticipantstosubstituteeachcharacterintheirpass- lockedtheirdevicestopreventstrangersfromaccess,andfourpar- codeswiththemnemonicofthecharactertype:D-digits,L ticipants locked their devices to protect data if they get mugged, -lower-caseletters,U-upper-caseletters,S-specialchar- 23participantsusedlockedtheiriPhonestocontrolaccessbytheir acters. Werefertosuchencodingsofpasscodesas“masks”. familyand/orfriends.Inaddition,wefoundthatsomeparticipants The screenshot of this question is shown in Figure 2. We usedsocialnormstorationalizelocking,e.g.,12participantslocked chosethisapproachfortworeasons. First, itallowedusto theirdevicesbecausetheirfriendsdidthesame. assessentropy. Second,thisapproachdidnotrequirepartic- Otherreasonscouldbeattributedtoeither(1)usabilityproblems ipantstorevealtheirpasscodestous. ofdevicelocking, voicedmainlybythosewhodidnotlocktheir Part5a ThissectionwasonlyrelevanttotheownersofiPhone5s, device,or(2)thenecessitytohavecertainfeaturesthatwereeither 6,and6Plus.Here,weaskedquestionsrelatedtoTouchID’s enabledorpreventedbydevicelocking.Thefourparticipantswho usabilityandreasonsforitsadoption. didnotlocktheirdevicestatedthefollowingreasons:(a)lockinga phonemakesitimpossibletouseitinemergencycases,(b)locking Part5b ThissectionwasonlyrelevanttotheownersofiPhone5 iPhonemakesitimpossibletocontacttheownerincasethedevice andoldermodels. Here,weaskedabouttheirperceptionof islost,and(c)unlockingprocesstakestoomuchtime. Onlytwo biometricauthenticationmethodssuchasTouchID. participants,outofthefourwhodidnotlocktheiriPhones,stated thattheydidnotcareaboutsecurityoftheirdata. In order to test our questionnaire, we conducted a pilot study Use of PINs and Passwords. Out of the 90 participants, 86 with12participants. Basedontheresultsofthepilotstudy,were- lockedtheirphones,with66employing4-digitPINs,and20using visedseveralquestionsinthequestionnaireandaddedanattention passwords. Thirdoftheparticipants(36)usedthesamepasscode check question (#28 in Appendix A.1). Most of the changes we for their iPhones as in their previous smartphones. In addition, madewereaimedatimprovingquestions’clarityandreadability. 52 participants stated that they shared their passcode with some- 5.1.2 ParticipantRecruitment oneelse,and53statedthattheyknewpasscodesforsmartphones ownedbyothers. Werecruitedparticipantsinpublicplacessuchasshoppingmalls, TouchIDGroup.TheTouchIDgroupincluded41participants, librariesandcoffeeshopsinthedowntownareaofVancouver. We with29ofthemusing4-digitPINs. Themajorityofthemagreed approached prospective participants who had iPhones with them thattheylikedusingTouchID.Inparticular,26participantsfound andinvitedthemtoparticipateinourstudy. Wechosethisrecruit- that setting up Touch ID was easy or very easy, and 29 partici- ment method mainly because we were interested in the general pants stated that the use of Touch ID was easy or very easy (see population of iPhone users. We recruited participants who were AppendixA.2formoredetails). Themajorityoftheparticipants iPhoneusersand19yearsoldorolder. Althoughthemainfocus (30)hadneverhadanyissueswithTouchID,and,overall,Touch ofourstudywereownersofTouchID(iPhonemodels5S,6,and6 IDparticipantsconsideredTouchIDasaconvenient,secure,quick, Plus),wealsorecruitedownersofoldermodels. Participantsthat andeasytouseunlockingmechanism. usedTouchIDwereassignedtoTouchIDgroup,whiletherestto TouchIDparticipantsalsovoicedtheirconcernswithfingerprint non-Touch ID group. Note, that those iPhone 5S, 6 and, 6 Plus scanningsensor.Inparticular,threeparticipantshadproblemswith ownerswhodidnotuseTouchID,wereassignedtothenon-Touch sharingtheiriPhones. OtherssawTouchIDsensorasathreatdue IDgroup. totheabilityofanattackertounlockthedevice,whiletheowner 5.2 Results issleeping(e.g.,P9“... [I]mightbesleepingandsomeonemight usemyfingertounlock[myiPhone]...”).3 Someparticipantswere Inthissection, wereporttheresultsofourin-personsurvey. We evenafraidthatanattackermightfaketheirfingerprints, inorder first report participants’ demographics, then provide findings for toaccessthedevicelater.Sevenparticipantsworriedaboutprivacy all participants and for each group separately. Finally, we report of their fingerprints, due to the lack of clarity on whether Apple theresultsofstatisticaltestsforH1andH2. storestheirfingerprintssomewhereelse. Forexample,oneofthe Participant Demographics. Overall, we recruited 93 partici- pants. We,however,hadtoexcluderesponsesfrom3participants 3Exactly the same story has happened in December 2014, when whofailedpasswordlengthverification.Thus,theresultspresented aboyunlockedtheiPhoneofhissleepingfatherwithhisfather’s inthissectionarebasedon90participants. thumb[11]. 5 USENIX Association 2015 Symposium on Usable Privacy and Security 261 Table1: PasscodeaverageentropiesforTouchIDandnon-Touch Study1failedtoshowaneffectofTouchIDonusers’preference ID groups in Study I. While non-Touch ID group had 49 partici- tolocktheiriPhone. pants,fourofthemdidnotuseanypasscodetolocktheirphones andwereexcludedincomputingentropies. 5.3 Limitations Therewereseverallimitationsthatmighthavenegativelyimpacted TouchID Non-TouchID ourabilitytofindastatisticallysignificantdifferencebetweenpass- Mean 15.88bits 15.61bits codesofTouchIDandnon-TouchIDgroups. First,wemightnot SD 6.93bits 7.45bits have obtained large enough sample size. Second, our participant N 41 45 pool had a fairly large bias towards the 19-34 age group. Third, sinceweobtainedonlypasscodeexactlengthandthetypesofthe charactersineachposition,butnotthecharactersthemselves,this participants(P11)statedthatshewasafraidabout“Appleleaking coarsegranularityofthedatadidnotallowustoobservethedif- myfingerprintandsomeonecanimpersonateme”and“fingerprint ference. Fourth, aswedidnotcontrolfororcollectdataonhow beingusedforpurposesotherthantojustunlockmyphone.” technicallyandsecuritysavvyourparticipantswere,wemighthave Non-Touch ID Group. The non-Touch ID group included 49 hadoneofthetwogroupswithparticipantsheavilyskewedonthese participants,where37participantsusedPINsandeightusedpass- traits.Inordertoaddresstheselimitationsandgainadeeperinsight wordstounlocktheiriPhones. Fourparticipantsdidnotlocktheir intowhyusersarestickingwith4-digitPINswedecidedtoproceed phonesandwereexcludedfromcomputingaverageentropyofpass- withaninterview-basedstudy. codesinthisgroup.While13inthisgrouphadTouchIDavailable, Whileweincludedanattentioncheckquestion(seequestion28 theydidnotuseit. in Appendix A.1), we realized after running the survey that the We observed that participants perceived fingerprint authentica- questionwaspoorlyworded. So,wehavedecidednottoexclude tion as a security improvement. For example, “anyone can fig- participantsbasedontheirresponsetothisquestion,becausemost ureoutapasswordbutpeoplecan’tcopyyourfingerprint”(P69), ofthosewhofailedthequestionlikelydidnotunderstandit. We “forthosewithsensitiveinfoonphonesmoresecurityisdesirable” paraphrasedthequestionanduseditinStudyIII(seequestion36 (P78), “it is easy, accurate and secure” (P5), “it’s safer” (P19), inAppendixC.1). “moresecurethan4digitpassword”(P33), “noonecanfakemy fingers” (P89), "I will use Touch ID so my friends don’t get in 6. STUDYII:INTERVIEWS myphone”(P45). AlthoughtheiriPhonesdidnothavefingerprint scanners, more than one-third of participants believe that Touch Wefollowedthein-personsurveywithaninterviewstudyinorder IDisthemostsecureunlockingmethod. Surprisingly,onlythree togainabetterunderstandingofusers’reasoningtostickwithweak participants from non-Touch Group were willing to use a longer passcodes. Our main objective was to answer research question alphanumericpasswordalongsidewiththeTouchID. (RQ1)“WhyTouchIDusersdonotemploystrongerpasscodesfor smartphonelocking?” 5.2.1 HypothesisTesting 6.1 Methodology TotestH1,wefirstcomparedproportionsofparticipantsthatused PINsandpasswordsinbothgroups. Thenwecomparedmeanval- We designed our study with the focus on qualitative data collec- ues of entropies in both groups. Analysis of proportions did not tion. We used semi-structured interviews since they gave us the revealanystatisticallysignificantdifference(χ-squared=1.01, p freedomtoexplorenewtopics,astheyemerged. Weusedtheoret- =0.32). Forcomputingentropyofparticipants’passcodes,weob- icalsampling,ratherthanrandomsampling,because(ascommon tainedthelengthofthepasscodesandthealphabetsizefromthe withexplorativeenquiries)wewereinterestedinthediversityand masksourparticipantsprovided(Figure2). TheresultsofMann- richnessoftheparticipants’answers,ratherthaninthegeneraliz- WhitneyUtestdidnotrevealanystatisticallysignificantdifference abilityofthefindings.Apilotstudywitheightparticipantsrevealed betweenmeanvaluesofentropiesinTouch-IDandNon-TouchID thenecessityforreallifescenariosinseveralquestions,andwere- groups(W=15708,p=0.70),seeTable1. Thus,wewereunable visedtheinterviewguideaccordingly.Werandomizedtheorderof torejectHnull. interviewquestions,inordertoreducebiasduetotheorderofthe 1 In addition, statistical analysis of the mean values of entropies questions. Twofirstinterviewswereconductedbytworesearchers gaveusaconfidenceinterval,i.e.,thepossibleintervalofthedif- togetherinordertoensurethatallimportantquestionswereasked ference. Thisallowedustoassessthebiggestpossibledifference andwellunderstoodbytheparticipants.Eachparticipantwascom- inentropiesincaseastatisticallysignificantdifferenceisfound,by pensated$10fora20-minuteinterview. Weaudiorecordedallin- recruitinglargerparticipantpool. Inthiscasethe95%confidence terviewsandtworesearcherscodedeachinterviewindependently. intervalforthedifferencebetweenthemeanswasfrom-3.35upto Aftereachcodingsession,thecodersdiscussedanydisagreements 2.81,or3.35bitsatmost. until they reached consensus. Overall, we coded 211 responses If we consider a hypothetical scenario in which the Touch ID into 55 unique codes. Researchers disagreed on the coding of 5 group has a higher entropy, and we simply failed to find it due responses,achievinginter-rateagreementof91%. tosmallsizeoftheparticipantpool,andconsideringtheobserved 6.1.1 ParticipantRecruitment meanentropyvalueof15.88bits, wecanassessthatthepossible maximumentropywith95%confidenceis19.23bits. Takinginto We recruited participants by directly approaching them in public accountthedesignofthedataencryptioniniPhones,i.e.,thateach placessuchasshoppingmalls,libraries,andcoffeeshopsinVan- passcode guessing attempt takes at least 80ms, we can show that couver.Ourinclusioncriteriawereparticipantsofage19yearsand 19.23 bits of entropy corresponds to roughly 14 hours. In com- olderwhousedTouchIDontheiriPhones.Afterthe17thinterview, parison, it would take only 1.1 hour to brute-force passcodes in wedidnotobserveanynewcodesanddecidednottoschedulenew non-TouchIDgroupwithaverageentropyof15.61bits. participants, hencewe stopped interviewingafter 21 participants. WetestedH2hypothesiswithChi-squaredtest(χ-squared=0,p Saturationanalysisofnewconceptswitheachadditionalinterview =1.0).WewereunabletorejectHnull,andhenceweconcludethat isshowninFigure3. 2 6 262 2015 Symposium on Usable Privacy and Security USENIX Association Table2:Participants’demographicsforthethreestudies. StudyI StudyII StudyIII Parameter Value # % # # % Gender Female 30 34 10 220 59 Male 60 66 11 154 41 Age 19to24 43 48 7 110 29 25to34 29 32 4 195 52 35to44 8 9 2 49 13 45to54 2 2 2 17 5 55to64 6 7 3 2 1 65orolder 2 2 3 1 0 Mean 29 30 N/A Median 30 27 N/A Education Highschool 30 34 5 19 5 Collegedegree 22 24 5 129 35 Bachelor 28 31 8 151 40 MasterorPhD 7 8 3 75 20 Other 3 3 0 0 0 Income Lessthan20K 25 28 2 67 18 20K-50K 29 32 3 97 26 50K-80K 16 18 7 70 19 80K-120K 8 9 6 99 26 Above120K 5 6 0 41 12 Prefernottoanswer 7 8 3 0 0 Industry Construction 2 2 2 1 0 Trade 2 2 3 8 2 Transportation 3 3 1 6 2 Financeandrealestate 7 8 3 23 6 Professionalservices 5 6 6 67 17 Businessandbuilding 11 12 0 18 5 Educationalservices 4 4 2 51 13 Healthcareandsocial 5 6 2 52 13 Inform./culture/recreation 3 3 0 16 4 Accommodationandfoodservices 6 7 3 19 5 Publicadministration 1 1 0 9 2 Other 45 41 3 104 27 Role IndividualContributor 122 33 TeamLead 35 9 Manager 46 12 SeniorManager 7 2 Management/C-Level 9 2 Partner 5 1 Owner 18 5 Volunteer 4 1 Intern 12 3 Student 57 15 Other 59 16 Lockingmethod PIN 66 73 19 Password 20 22 2 None 4 5 0 Lockedwith non-TouchID 177/6/18 PIN/Password/None TouchID 166/7/0 7 USENIX Association 2015 Symposium on Usable Privacy and Security 263 how”protectsdata-at-restwhenadeviceisstolen,i.e.,wouldnot allowtodecryptdatawithoutacorrectfingerprint. “IguessTouchIDwillprotectmyphone.Theycannot openmyphonewithoutmyfinger.Soit[TouchID]will definitelyhelp.”[P1] Another evidence of participants’ confusion was that they in- correctly understood how Touch ID and passcode work together. Thatis,theyassumedthatusingTouchID,inadditiontohavinga passcode,increasessecurityofdata-at-rest,whileinrealityitdoes not. Inaddition,someparticipantsthoughtthatTouchIDprovides highersecurity,comparedtopasscode. Theyjustifiedsuchanan- swer by stating that users tend to use dictionary words as pass- words,whilerandomdigitsareusuallyusedforPINs.Forinstance: Figure 3: The total number of unique codes for each additional interviewinStudyII.Wereachedsaturationaround17thinterview. “Touch ID is more secure than PIN or password be- causeit’suniquefortheowner”[P3] 6.1.2 Procedure “peopleoftenchoosetheirdogs’namesormiddlenames orsomethingsimilarastheirpasswords”[P11] AfteragreeingtobeinterviewedandshowingustheiriPhone5s, 6,or6Plus,eachparticipantwasaskedtoreadandsignaconsent The second most common factor for using a PIN was the lack form. Theinterviewerexplainedthatthepurposeoftheinterview ofknowledgeabouttheabilitytousepasswordsoniPhones. Six wastoinvestigatehowusersinteractwiththeiriPhones.Interviews participantswerenotawarethattheycoulduseapasswordforun- followedtheinterviewguidereproducedinAppendixBandcon- lockingtheiriPhones.Forinstance: sistedofthefollowingparts: [Aftertheparticipantwasexplainedwhatapasscode UsingTouchID: Inthefirstpartoftheinterviews,weaskedpar- is and how to use it.] “Really? I even did not know ticipantstodescribewhytheyuseTouchID,howtheythought thatyoucoulddothis[useapassword]. Thatisgood TouchIDworks,whetherit’spossibletouseTouchIDwith- toknow.Iwilllookatittoday”[P4], outsettingupPINorpassword,andwhyandhowTouchID impactstheiPhonesecurity,incasethephonegetsstolen. Two participants stated that they used PINs because the sales staff who helped with setting up their iPhones in Apple Stores, LockingBehaviour: We asked participants whether they locked showedonlythePINoptiontotheparticipants. Asaresult, they theiriPhonesornotandalso, whatmethodtheyused(PIN believedthatthiswastheonlyoptionavailable: orpassword). Weverifiedtheiranswersbyaskingthemto “WhenIboughtmyiPhone,theyaskedmetosetupa unlocktheiriPhones. WeaskedwhytheychosetousePIN PIN.ThatiswhyIamusingPIN”[P5] orpassword.Wealsoaskedparticipantsabouttheirpasscode sharingbehaviour. “They [Apple store customer service employee] only gavemeaPINcodeoption...”[P14] iPhoneData: Thenweaskedparticipantsaboutthemostvaluable dataintheiriPhones,whatdatatheyconsideredtobeconfi- Also, five participants admitted that they got habituated to use dentialorsensitive,andwhotheycaredprotectingitagainst. PINsfromtheirpreviousdevices,andcontinuedtousePINsonthe newiPhones.Inaddition,participantsstatedthattheydidnotwant DataProtection: Weaskedparticipantsforhowlongtheywanted torememberanewpassword, sotheyjustdecidedtousetheold theirdatatobeprotected,incasetheiriPhonesgetstolen. PINonthenewdevice: 6.2 Results “BecauseonmyoldphoneIwaslazytothinkabout passwordbackthen,sonowIjuststuckwithPIN.There 6.2.1 ParticipantDemographics isreallynomajorreason;itisjustthewayitis. Iam Overall,werecruited21participants,outofwhich10werefemales, justtoousedtothisnumberandIamjusttoolazyto andtheaverageagewas29(SD=12.4).Onlyoneparticipantused memorizeanewsetofnumbers.”[P1] apassword,whileallothersusedaPIN.Allparticipantshadowned Unsurprisinglysomeparticipantsstatedthattheydecidedtouse aniPhoneforoverayear. Almostallparticipantshadownedan- PINs because it is easier to use, faster to type and easier to re- other smartphone before the current one. In addition, 16 partici- memberincomparisontopasswords. Indeed,similarresultshave pantslosttheirsmartphonesbefore, includingthesixparticipants been shown in previous research, e.g. [31]. In addition, five par- who also were victims of smartphone theft. Participants’ demo- ticipantsstatedthattheydidnotstoreanysensitiveinformationon graphicsaresummarizedincolumn“StudyII”ofTable2. their iPhones, thus, they did not care about the extra level of se- 6.2.2 ReasonsforusingPINs curityapasswordcanprovide. TheybelievedthatPINsaregood enough to protect their phones and did not see a good reason to Themostcommonreasonforusing4-digitPINswasawrongper- switchtopasswords: ceptionofTouchIDimpactondatasecuritywhenadeviceislost or stolen. In particular, nine participants did not understand how “PINiseasier. Idonotwanttotypethewholepass- TouchIDworks,whichledtoconfusionabouttherelationshipbe- wordin.IfIlosemyphone,itisnotabigdealforme. tweenpasscodeandTouchID.TheybelievedthatTouchID“some- Thereisnothingimportantonit”[P15] 8 264 2015 Symposium on Usable Privacy and Security USENIX Association Finally,sevenparticipantsreusedtheirPINsacrossmultiplede- 7. STUDYIII:ONLINESURVEY vicesoraccountsinordertoreducetheamountofinformationthey Theresultsofthefirststudysuggestthelackofanypracticallysig- neededtoremember. Severalparticipantsstatedthat,becausethey nificant impact of Touch ID on passcode selection, prompting us sharedtheiriPhoneswithothers,PINswereeasiertoshareforthem toinvestigatewhyusersdon’tchoosestrongerpasscodes,provided thanpasswords,forinstance: thattheyneedtotypethemrarelyiftheyuseTouchID.Whilethe “SimplicityIguess.AsIsaidbefore,Iamnottheonly findingsfromthesecondstudyofferedpossiblereasonsforstick- person who uses my iPhone. So PIN is easy of ac- ing with 4-digits PINs, the study did not allow us to assess the cessforotherusers. Itiseasiertogivesomeone1234 prevalenceofthesereasonsinarepresentativesampleoftheiPhone PIN than ’Charlie-unicorn’ is weird, capitals, aster- users. Ourthirdstudyaimedataddressingexactlythislimitation. isks,etcetera”[P8] We designed it in a form of an online survey, so that we could recruitalargerandmorerepresentativesampleinorder(a)tocor- In summary, participants provided various reasons for sticking roboratestatisticalresultsfromthefirststudy,and,(b)tomeasure with4-digitsPINs. Inparticular, someparticipantsdidnotknow qualitativelytheprevalenceofreasonsforiPhoneusersnotemploy- thattheycanusealphanumericpasswords,otherswereonlyshown ingstrongerpasscodes. howtosetupandusePINs,whentheywereassistedbythesales- peoplewhenpurchasingtheiriPhones. Otherparticipantsjustified 7.1 Methodology theuseofPINsbythefactthattheyhadlowrequirementsforthe Theonlinesurveycloselyresembledinitsstructureourin-person security of data-at-rest on their iPhones. Some participants were questionnaire (Section 5.1). We just added questions for collect- habituated to use PINs from previous devices or wanted to reuse ing descriptive statistics about the reasons for not using stronger PINs across various devices and accounts. Understandably, par- passcodes.AppendixC.1providesouronlinesurvey. ticipantsstressedtheusabilitybenefitsofPINsoverpasswords,as We recruited participants on Amazon Mechanical Turk oneofthereasonstousetheformer. Inparticular,theystatedthat (MTurk) [23] between February and March 2015. We limited PINs are faster, easier to use and memorize. More critically, our MTurk workers to the US participants with HIT approval rate at participants misunderstood how Touch ID works and how it im- 90% and above. Before running the study, we conducted a pilot pacts the security of data-at-rest, in cases when an iPhone is lost with149MTurkparticipantstotestthedatacollectioningeneral orstolen. Finally,PINsweremoreconvenientthanpasswordsfor andthesurveyquestionsinparticular. sharingiPhoneswithothers. Incomparisonwiththefirsttwostudies,whichwereconducted 6.2.3 PasscodeSharingBehaviour in-person,theonlinesurveymadeitchallengingtovalidatewhether ornotaparticipanthadaniPhoneandusedtheunlockingmecha- Eight participants shared their passcodes with others for several nismassheclaimedto. Tomitigatethisconcern,theparticipants reasons.First,someparticipantswerepressedtoshare: were asked during the survey to submit two photos: (1) a photo “Ishare[PIN]withmygirlfriendbecausesheforced of their iPhone reflection in a mirror taken with the front-facing meto!”[P2] camera,and(2)ascreenshotoftheunlockinginterface. Examples Second,participantstrustedotherswiththeirdata,and,thusshared ofverificationphotosthatourparticipantssubmittedareshownat theirpasscode: Figure4.WelaterusedthesephotostovalidatetheclaimediPhone model(i.e.,iPhone4,4S,5S)andthelockingmechanism.Inaddi- “I share with my boyfriend because I trust him and tion,wealsoaskedparticipantstoprovideuswiththemodelnum- sometimesheusesmyphone,too”[P19] ber,e.g.,ME302C/A,4 whichhasone-to-onecorrespondencewith “IshareitwithmybestfriendbecauseItrustherand themarketedmodel,e.g.,iPhone5S.Weexcludedresponsesfrom ifshehasmyphoneandneedstolookatit,shecando allthoseparticipantswhoeitherdidnotprovideuswithphotosor that”[P10] whoprovidedphotosthatdidnotmatchtheirchoicesinthesurvey. Finally,wealsousedattentioncheckquestion,similarlytotheone Finally,participantssharedtheirpasscodeswithothersbecauseof weusedinStudyI,inordertocheckiftheparticipantreadinstruc- concernswithemergencysituations,whensomeonecloseneedsac- tionscarefully. Thistime, itwasrevisedtoimprovethewording cesstothephoneoritsdata.Forinstance: (seequestion36inAppendixC.1).Wepaid$1.00toallthepartic- “Isharewithmygirlfriendbecauseifsomethinghap- ipants,includingthosewhofailedtheattentioncheckquestionor penswithme,atleastsheknowsthecodeandcanun- iPhonemodelverificationorunlockingmechanismverification. lockthedevice”[P9] 7.2 Results Tosummarize,theparticipantssharedtheirpasscodestoenable emergency access to their phones, or because they trusted others withthedataontheirphones,orbecausetheywerepressedtoshare 7.2.1 Demographics theirphones. Overall,werecruited1,219participantsandassignedthemtoTouch IDandnon-TouchIDgroups,dependingonwhethertheyreported 6.3 Limitations usingTouchIDornot.Attheend,responsesfrom374participants Our interview study has several limitations. As with most quali- weretakingintoaccountduringthedataanalysis,31%oftheones tativeenquiries,theresultsoftheinterviewsarenotgeneralizable. whowererecruited. The results of the analysis might have been impacted by our bi- Non-TouchIDgroup. 698participantshavestartedthesurvey ases. We strived to minimize this bias by using separate coders inthenon-TouchIDgroup,and550finishedit.Onaverageittook and discussing the disagreements. Finally, the participants might eachofthemabout16.3minutes(SD=7.5minutes)tofinishthe have misunderstood some questions. To reduce chances of such survey. Notethatweexcludedsevenparticipantsthatspentmore misunderstanding, we conducted a pilot study with eight partici- pants,withthemainpurposeoftestingtheinterviewquestions.We 4DevicemodelcanbefoundintheModelfieldofiPhone’sSettings alleviatedsomeoftheselimitationsbyconductingourthirdstudy. inGeneral->Aboutsection. 9 USENIX Association 2015 Symposium on Usable Privacy and Security 265 Figure4:Examplesofverificationphotosthatparticipantssentus. Fromlefttoright,(1)aphotoofaniPhonetakenwithfrontfacing camera in a mirror, (2) a screenshot of PIN based iPhone unlock interface, and (3) a screenshot of password-based iPhone unlock interface. thananhourfinishingthesurvey. 317participantsfailedtosubmit correctphotosoftheiPhoneandscreenshotsofthelockinginter- face,whichleftuswith226eligibleparticipants.Finally,25outof 226participantsfailedtheattentioncheckquestion,whichreduced Figure 5: Reasons for using PIN instead of password for each the non-Touch ID group size to 201 participants, i.e., 37% of all group. participantsthatfinishedthesurvey. TouchIDgroup. 521participantshavestartedthesurvey,and 445finishedit. Onaverageittookabout15.7minutes(SD=6.2 minutes)forparticipantstoanswerthequestions.Similarlytonon- tackerwillneedtodo,onaverage,inordertobrute-forcethewhole TouchIDgroup,weexcludedunqualifiedparticipants. Inparticu- passcode space for Touch ID group, assuming the best case sce- lar,weexcludedfiveparticipantsthatspentoveranhourtofinish nario for defenders, i.e., iPhone users. Considering the observed the study, and all the participants who failed to submit a proper averagepasscodeentropyinTouchIDgroup(14.61bits)andthe proofofaniPhoneandlockingmechanismscreenshot.Wealsoex- maximumpossibledifferencebetweenthegroups(i.e.,1.91bits), cludedalltheparticipantswhofailedtheattentioncheckquestion, wecaneasilyobtainthemaximumpossibleaverageentropyinthe whichreducedourparticipantpooldownto173participants,39% TouchIDgroup(with95%confidence),whichis16.52bits.5 Con- ofthosewhofinished. sidering that for testing each passcode candidate on iPhones, an Theparticipants’demographicsareshownincolumn“StudyIII” attackermustspendatleast80ms,theycanbrute-forcethewhole of Table 2. We recruited participants from various occupations, searchspaceof16.52bitsinsizeinabout2hours. rangingfromagriculturetopublicadministration.Theparticipants’ InordertotestH2hypothesis,wesplitall18participantsinthe job titles also included various positions, such as managers, stu- non-Touch ID group who did not lock their device on those who dents,teamleadersandothers.Ourparticipantshaddiverseeduca- hadTouchID(4)andwhodidnot(14). TheresultsofChi-square tionlevels,including75participantswithPh.D.orMastersdegrees. testdidnotrevealanystatisticallysignificantdifference(χ=3.78, Morethan50%oftheparticipantswerebetween25and34years p = 0.05) between the proportions in the two groups. Thus, we old.Finally,ourparticipantshadvariousincomelevels. couldnotverifythecorrelationbetweenthepresenceofTouchID onthephoneandtheuser’swillingnesstolocktheirdevicewitha 7.3 TestingHypotheses passcode. InH1,wehypothesizedthat,duetotheusabilityofTouchID,users 7.4 ReasonsforusingPIN wouldswitchfromPINtopasswordswithabiggersearchspace,in order to increase the work required for a brute-force attack. We In both groups, we asked users for reasons why they used a PIN firstusedChi-squaretesttocheckiftheproportionsofuserswho rather than a password. A summary of participants’ answers is usedPINsandpasswordsinbothgroupsweredifferent.Theresults shown in Figure 5. Note, that for this analysis we excluded the ofthestatisticalanalysisdidnotrevealanystatisticallysignificant lastoption,i.e.,“TouchIDisenough”,frombothgroups,sinceit difference(χ=0.01,p=0.92). wasonlypresentinTouchIDgroup. Ouranalysisdidnotreveal The 95% percentile confidence interval for the difference be- any statistically significant difference in distributions of answers tweenthemeansofpasscodeentropiesintwogroupswas[-1.91, betweenthetwogroups(χ-squared=4.88,p=0.85). +0.95]. Thatimpliesthatincaseif,hypothetically,thereisadif- Theresultsofthestatisticalanalysissuggestedthatusersinboth ference and we just failed to reveal it, due to small sample size, groupsusesimilarreasonsforusingPINs. Wefoundthatthetop thenwith95%confidencewecanstatethatthedifferencebetween mostthreereasonswereeitherrelatedtousabilityofPINs,i.e.,“It meanentropiesofpasscodesinTouchIDandnon-TouchIDgroups is faster” and “It is easier to remember”, or to the gap in knowl- wouldbe1.91bitsatmost. Analysiswitht-testdidnotrevealany edge, i.e., “Didnotknowaboutthepassword”. Finally, inTouch statisticallysignificantdifference(t=-0.66,p=0.51)betweenthe IDgroup,morethan25%ofparticipantsstatedthatTouchIDwas non-TouchID(M=14.13bits,s=5.04)andTouchID(M=14.61 5AswithStudyI,thiswasanoverestimationandrealdifferenceof bits,s=8.20)groups. Duetotheresultsofthesestatisticaltests, searchspacesislikelysmaller.Wechosetooverestimatethesearch wecouldnotrejectH1null. spacetoshowtheupperbound,i.e.,themaximumworkanattacker Similarly to Study I, we estimated the amount of work an at- needstodoonaverage. 10 266 2015 Symposium on Usable Privacy and Security USENIX Association