Smartphone owners who unlock their devices with knock codes aren’t as safe as they think, according to new research.

Knock codes work by letting people select patterns to tap on a phone’s locked screen. LG popularized the method in 2014, and now there are approximately 700,000 people using this method in the U.S. alone, along with one million downloads worldwide of clone applications for Google Android devices generally, the researchers said.

Raina Samuel, a doctoral student in computer science at NJIT’s Ying Wu College of Computing, said she had the idea for this research while attending a security conference in 2017.

«During that conference I heard our co-author Adam Aviv give a presentation. He was talking about passwords, PINs, shoulder surfing and how these mobile methods of authentication can be manipulated and insecure sometimes,» she said. «At the time, I had an LG phone and I was using the knock codes. It was a bit of a personal interest for me.»

Knock codes typically present users with a 2-by-2 grid, which must be tapped in the correct sequence to unlock their phone. The sequence is between six and ten taps. The researchers analyzed how easily an attacker could guess a tapping pattern.

In an online study, 351 participants picked codes. The researchers found that 65% of users started their codes in the top left corner, often proceeding to the top right corner next, which could be attributed to Western reading habits. They also found that increasing the size of the grid didn’t help, instead making the users more likely to pick shorter codes.

Story Source: Materials provided by George Washington University. Note: Content may be edited for style and length.