With the pervasiveness of smartphones and the richness of mobile apps, many people are storing increasingly sensitive data on them, in greater quantities. In order to protect this sensitive information from misuse due to loss, or other accidental reasons, strong smartphone authentication has become imperative and has received considerable attention in recent years. However, when we directly implement traditional authentication schemes in smartphone devices, the balance between security and user-friendliness of authentication becomes challenging, mainly because of the input-in-motion environments. In this paper, without adding extra hardware devices, we present a user-friendly, dual-factor authentication scheme called Duth, for Android smartphone devices. Specifically, the proposed Duth scheme is characterized by utilizing the spatial and time features of the user-writing process as two factors of authentication; a user can be authenticated only if these two features are fulfilled. We implement Duth in Java as a library, which we make publicly available. With extensive discussions on parameter selection, we choose proper parameters and implement Duth on a smartphone with Android 2.3 for experiments, and the experiment results demonstrate that Duth can indeed achieve efficient and effective dual-factor authentication. Copyright © 2014 John Wiley & Sons, Ltd.