Mobile device security has become increasingly important as we become more dependent on mobile devices. One fundamental security problem is user authentication, and if not executed correctly, leaves the mobile user vulnerable to harm like impersonation and unauthorized access. Although many user authentication mechanisms have been presented in the past, studies have shown mobile users preferring usability over security. Furthermore, mobile users often unlock their devices in public spaces, inevitably resulting in a high possibility of user credentials disclosure. Motivated by the above, we introduce a novel user-habit-oriented authentication model, where mobile users can integrate their own habits (or hobbies) with user authentication on mobile devices. The user-habit-oriented authentication turns a tedious security action into an enjoyable experience. In addition, we propose a rhythm-based authentication scheme, providing the first proof of concept toward secure user-habit-oriented authentication for mobile devices. The proposed scheme also takes the first step toward using the theory of mind into security field. Experimental results show that the proposed scheme has high accuracy in terms of false rejection rate. In addition, the proposed scheme is able to protect from attacks caused by credential disclosure, which could be fatal if it was done through the traditional schemes.