“Knock Codes” and Lock Patterns Are Not as Secure as You May Think

Written by Bill Toulas
Last updated July 15, 2020

Researchers from the New Jersey Institute of Technology, the George Washington University, and the Ruhr University in Bochum have joined forces to determine the security level that underpins “knock codes” or lock patterns in smartphones.

Knock codes first appeared in 2014 on LG devices, and are based in the setting up of a tapping sequence on a 2-by-2 grid. The sequence must be between six and ten taps to be valid. Due to the massive number of possible combinations that arise from this, it is considered a secure way to lock your device - at least theoretically.

In practice, though, things deviate from the assumptions because of the human factor and our tendency to make everything convenient. The researchers conducted an online study with 351 participants and found that 65% of them followed very specific tapping sequences and patterns.

Due to Western reading habits, the participants started tapping at the top left corner point and then continued with the right corner as the second tapping point. As for the third point, the participants would either follow an hourglass shape pattern, a square, or the shape of the number 7.

The researchers then tested out a larger grid to see what effects this would have, but the participants simply used a smaller knock code, believing that their pattern would “get lost” in the larger grid more easily.

The study found that the users had difficulty remembering the codes, as 10% forgot their tapping sequence after just five minutes. As a conclusion, the team recommends smartphone manufacturers to offer a feature that detects easy-to-guess knock codes and advises the user to pick something stronger instead.

Related: Security Researchers Take a Deeper Look at PIN Security

Back in March, we presented the findings of a study that focused on the security of four-digit PINs, and the fact that guessing many of them was surprisingly easy in some cases. This leaves biometric authentication as the only method that can be considered adequately secure, while it also happens to be the most convenient as well.

Of course, biometrics aren’t without flaws or weaknesses, but they still seem to be the best choice the user has right now. Based on estimates, approximately 700,000 users in the United States alone rely on “Knock codes,” so the problem doesn’t only concern a small category of people.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: