Would you rather unlock your smartphone with a plain four-digit PIN or with a smiley-face emoji? Would it be easier and more pleasant to remember “????,” for example, or “2476”?
Smartphone users commonly use emoji to express moods, emotions and nuances in emails and text messages – and even communicate entire messages only with emoji. In 2015, a British company tried using emoji passcodes in place of PINs at bank ATMs. But there had been no formal study of how easy they were to use, or how secure they were in comparison to other methods, like PINs.
To learn more, in the lab and in the real world, a team of researchers from the Technical University Berlin, Ulm University and University of Michigan, led by TU Berlin Ph.D. candidate Lydia Kraus, developed EmojiAuth, an emoji-based login system for Android smartphones. How well would users remember their emoji passcodes? Could they be more secure, too? And might they be more fun, adding a bit of enjoyment every time a user unlocked her phone?
Creating emoji passcodes
Most smartphone users keep their screens locked and need to unlock them numerous times a day. Many people use numerical PINs, but research tells us that images are easier to memorize and recall than numbers or letters. PINs can also only be composed from a small number of symbols: the numbers 0 to 9. Passwords can be created from a larger set of characters but are difficult to type on smartphones. Using emojis, on the other hand, allows us to draw from over 2,500 emojis, which promises passcodes that are more resistant to cracking and casual observation.
In our initial experiment, we gave 53 participants an Android phone and divided them into two groups. The first group of 27 people selected a passcode made up of any of 12 emoji on an emoji keyboard individually generated for each user from the library of all possible emoji icons. (Once set, each user’s emoji keyboard stayed the same.) The remaining 26 people picked a numeric PIN.
People most frequently used one of three methods to choose an emoji sequence: based on a pattern on the emoji keyboard (such as down one side or emojis in the corners), personal preferences for particular emoji and constructing stories with the emojis. For example, one participant had a song in mind and chose emojis that corresponded to the words of the song. After practicing entering their new passwords several times, the subjects were asked to return a week later to reenter their passwords into our test smartphone.
Our lab results showed both PINs and emoji passcodes were very memorable. Overall, PIN users remembered their passwords slightly more often, though that may be because many people are used to memorizing PINs. But the people who used emoji passcodes reported having more fun entering their codes.
Out in the field
Next, we wanted to explore how emoji passcodes held up in everyday use. On the Android phones of 41 participants, we installed a special login screen for their smartphones’ email app for about two weeks. About half of them used emoji passcodes; the others used PINs.
As we had found in the lab study, the users who used emoji passcodes picked emoji that made patterns on the keyboard, or that they personally like, or matched stories they made up.
Both groups of users, those using emojis and those using PINs, reported their passcode was easy to remember and use. But the emoji-using group’s passcodes were more fun to enter than just numbers.
At the end of the field study, we tested the security of emoji passcodes. We asked participants to “shoulder surf,” peeking over the researcher’s shoulder while she entered a passcode.
We found that emoji passcodes consisting of six randomly selected emoji were hardest to steal over a user’s shoulder. Other types of passcodes, such as four or six emoji in a pattern, or four or six numeric digits, were easier to observe and recall correctly.
Our studies, which one of our team presented on May 30 in Rome, show that emoji-based mobile authentication is not only practical but also an enjoyable method of remembering and protecting passwords – so long as users don’t use emoji in a sequence that correspond to a pattern on the keyboard.