Google tackles passcode fatigue with motion-based anti-lock

A new feature in Android keeps your passcode protected smartphone unlocked when it’s on your body — a move that reduces the hassle of typing a passcode but also leaves devices exposed to muggers.

If you’re diligent about securing your Android smartphone, you’ve probably configured the device to require a passcode as soon as you hit the power button. That’s good practice but it can get tedious if you receive loads of notifications or just feel the need to check your phone frequently.

Apple has smoothed over this process with its Touch ID fingerprint scanner, while Google, without the aid of a fingerprint scanner on all Android devices, has developed Smart Lock — a collection of authentication methods using the camera for facial recognition; GPS for location-based authentication; Bluetooth to authenticate via trusted devices such as an Android Wear watch or car; and NFC for trusted tags.

Smart Lock is not available on all versions of Android or all hardware, but where it’s supported it can cut down on passcode fatigue.

The latest addition to the Smart Lock family is motion-based authentication, which relies on the device’s accelerometer to deduce when a phone that has been unlocked, is probably being carried by the rightful owner. So if a person unlocks their phone, hits the power button and slips the phone into their pocket, it remains unlocked the next time they pull it out. That’s one less time they need to type in their passcode.

Google quietly introduced the new feature recently, which was first noticed on Nexus 4 phones running Android 5.0.1 as well as devices running Android 5.1 — the most recently updated build of Android 5.0 (Lollipop).

The feature was first reported by Android Police and appears to have been introduced via an update to Google Play Services (GPS), meaning the feature could roll out to most Android devices since it’s not tied to the core OS.

The new feature isn’t strictly designed to improve security but rather to make authentication less of a pain for those who want to protect their information from intruders who have physical access to the hardware.

In this way, the feature makes it less cumbersome to enable passcode lock — which is a good thing — but it also could render auto-locking a useless feature if a mugger nabs the hardware.

Google highlights a few caveats.

“On-body detection can't tell whose body is connected to on-body detection. If you give your device to someone else while it's unlocked, your device may stay unlocked using on-body detection. Keep in mind that on-body detection as a security feature is less secure than a pattern, PIN, or password. Someone who takes your phone while it's unlocked with on-body detection could access it,” it notes.

In other words, if you’ve enabled the feature and you get mugged for your phone, there’s a chance the device will stay unlocked.

For those that want to protect the information on their device is privy to, they could always use Android Device Manager to remotely wipe the device.

However that won't stop a thief from initiating a factory reset and subsequently claiming ownership of the hardware.

It's unclear how the feature would play out with Google’s Device Protection that came with the recently announced Android 5.1. The feature could prevent a factory reset if the device was set up with a passcode lock.

Once enabled, the device will remain locked until the user signs into their Google account. It will stay that way even if a thief or finder attempts to return the device to factory settings. The requirement of knowledge of the Google account credentials thwarts the thief who simply wants the hardware.

Android hardware that does support Device Protection will be able activate the feature remotely via Android Device Manage.

Read more: Spooked by big-name hacks, executives ignoring surge in internal security breaches

However, an early reviewof Android 5.1 by Ars Technica showed that the Nexus 6 and Nexus 9 supported Device Protection but the Nexus 5 did not.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Android smartphonesecurity featureaccelerometerAndroidanti-lockCSO AustraliaTouch IDGoogle’s Device Protectionpasscode lockArs TechnicaGooglebluetoothfingerprint scannerpasscodeSmart Lock

More about AppleCSOEnex TestLabGoogleNFCSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place