The latest Android smartphones offer various different ways to lock the screen. You can set up a pattern lock, PIN or password, or unlock it with your fingerprint or even your face. Such a variety of options can be confusing, so let’s find out which method is the most secure, and which is the most practical.
Modern operating systems effectively prevent intruders from guessing your PIN code by limiting the number of login attempts and increasing the interval between new attempts. Therefore, in theory, a PIN code — especially a long one, consisting of six or eight digits — could be a fairly secure option for protecting your smartphone.
But there are a couple of key points to bear in mind. First, to ensure maximum security, a PIN should ideally be a random string of numbers. But most people tend to set something easy to guess — most often based on their date of birth. This makes it much easier to break into the phone.
Secondly, in order for the PIN code to protect your phone effectively, it must be kept in secret. The average person unlocks their smartphone very frequently — hundreds of times a day. So if someone is aiming to sneak a peek at your PIN code, they’ve plenty of opportunities.
A complex password — that is, a combination of characters using both numbers and letters — is much more secure than even a long PIN code. With the restrictions the operating system puts on the number of login attempts, it’s almost impossible to guess it. It’s also more difficult to peek at and remember.
But there’s an obvious handicap: entering a lengthy password hundreds of times a day gets very tedious. So such a security measure is only suitable as a backup option, which complements a more convenient way of unlocking your phone — say, using your fingerprint.
A pattern lock is probably the least secure way of protecting your smartphone. In theory, there are about 390 thousand possible lock patterns on an Android device. Some of them are truly complex. But in practice most people use very short, easy to guess patterns.
In about 50% of cases, the patterns start from the upper left corner — that is, the starting point is very predictable. And of course, people tend to use memorable shapes for their pattern locks. That makes guessing the right pattern much easier than it might seem at first.
Also, it’s not too hard to take a peek at someone entering their pattern lock and remember it: distinctive finger movements are easier to track than touching virtual buttons. In addition, entering patterns often leaves marks on the screen, further improving chances of a successful hack. Given all of the above, we strongly advise against using a pattern lock to protect your smartphone.
The technology used to unlock a smartphone by fingerprint appeared in its current form 10 years ago, so by now it’s been well tested. Of course, it has its drawbacks: there are several ways of getting into the phone by creating a fake fingerprint of the phone’s owner.
In addition, researchers have recently discovered a number of vulnerabilities related to this authentication method. There was an attack that exploits these vulnerabilities named BrutePrint. It allowed hackers to brute force the fingerprint recognition mechanism.
However, these are all sophisticated techniques that require a fairly high level of expertise, as well as certain exotic equipment and the motivation to spend a lot of time and effort on hacking. Therefore, for the vast majority of Android users, fingerprint authentication remains a secure option.
Of course, if your phone contains highly confidential information, you may need to take such sophisticated attacks into account in your personal threat model. In that case, we recommend only using a long password and entering it as infrequently and as secretly as possible so that nobody gets a chance to see it. But for the rest of us, the best option for “everyday” Android smartphone unlocking is still a fingerprint, which can be complemented by a long PIN code or, even better, a complex password, as a backup method.
Unfortunately, for Android there’s no full-fledged analog of the already well-established Face ID technology that’s used in iPhones. Android smartphones use the front camera for face recognition. It’s a significantly less secure method that’s much easier to trick.
Google speaks about this quite eloquently itself. To date, the company cites the Face Unlock function as the least secure. That’s why, starting with Pixel 7, you can only use face recognition to unlock the screen, but you can’t confirm payments or log in to applications:
“You can’t use Face Unlock on Pixel 7 or later to sign in to apps or make payments. For those activities, you can make use of Fingerprint Unlock and/or strong passwords, patterns or PINs instead.”
Even if you’re using a different Android smartphone that does allow you to confirm payments with your face, it’s unlikely that the technology running on it is any more secure. In my view, all Android smartphone owners should heed Google’s advice: it’s better to avoid using face recognition to unlock your phone.
How to securely protect your Android smartphone from strangers
To sum up: the perfect security combo for Android phones is a fingerprint for everyday unlocking, plus a long PIN code — or even better, a strong password — as a fallback.
You’ll be entering your PIN code or password very rarely, so you can be generous with the character length. But make sure to save your password or PIN code in a safe place in case you forget it — for example, in an encrypted note in Kaspersky Password Manager.
A few final tips:
- Set your screen to lock automatically after a short period of inactivity. This will help protect your smartphone from strangers if you forget to lock it.
- Some Android smartphones (such as Samsung ones) allow you to enable device-resetting after a certain number of unsuccessful login attempts. If you keep some particularly important data on your phone, consider this option.
- Protect all applications that allow you to do this with a separate PIN code or password. By the way, with the App Lock function, available in the paid version of Kaspersky for Android, you can set a PIN code for any application.