ColorSnakes: Using Colored Decoys to Secure Authentication in Sensitive Contexts

In this paper we present ColorSnakes, a PIN-based authentication mechanism for smartphones which uses fake paths on a grid of numbers to disguise user input. In a lab study (n=24),we evaluated variations of ColorSnakes in terms of usability and security. In comparison to direct input, indirect input significantly reduced the risk of shoulder surfing (10.5%) without increasing the input time. In a follow up real-world study (n=12), we compared ColorSnakes with PIN entry and Android's Pattern Unlock over the course of three weeks. Although authentication time for ColorSnakes was higher than for the other two mechanisms, participants valued the security benefit over its slightly higher error rate and increased authentication time. We argue that ColorSnakes could be used as an additional authentication mechanism alongside current mechanisms, thus providing the user with the choice of changing to ColorSnakes for certain applications or when there is an observer.