Media Contacts

Office of Media Relations
2000 Pennsylvania Avenue NW
Suite 300
Washington, D.C. 20006

Phone: 202-994-6460
Fax: 202-994-9025
E-mail: [email protected]

 

Personal Identification Numbers: Cracking the Code

Unlocking a mobile device

First study of user-chosen mobile device PINs finds 6-digit PINs provide no increase in security

May 18, 2020

MEDIA CONTACTS:
Timothy Pierce: [email protected], 202-994-5647
Jason Shevrin: [email protected], 202-994-5631

SUMMARY
In the first comprehensive study of user-chosen 4- and 6-digit Personal Identification Numbers (PINs), researchers have found that using a 6-digit PIN instead of 4-digits to unlock a mobile device provides little to no increase in security, and may even decrease security, when considering an attack with limited number of guesses.

Researchers also found that the use of blacklists, currently used by Apple iOS to disallow “easy to guess” PINs during PIN selection, offer little to no security benefits.

THE SITUATION
Despite the rise of biometrics, such as fingerprint or facial recognition, mobile devices still require the use of a PIN, such as after a device restart or when the biometric fails.

Previous research on PINs focused primary on the context of banking as part of the chip-and-PIN system. The new study fills a vital knowledge gap in the area of mobile unlock authentication.

FINDINGS AND RECOMMENDATIONS
Using a throttled attack model, where a limited number of guesses are allowed based on the device settings, the researchers found:

  • The most common 6-digit PINs may actually be easier to guess and less secure than the most common 4-digit PINs.
  • Mobile device users believe largely incorrectly that blacklists will improve their PINs without impacting usability.
  • Currently employed PIN blacklists are ineffective against a throttled attack model.

Given their findings, the researchers recommend the following to mobile developers:

  • Developers should carefully consider the threat. Mobile devices throttle a guessing attack, making longer PINs and today’s blacklists ineffective.  Longer PINs can be justified based on an unthrottled attacker who can make many more guesses.
  • To balance security and usability needs, a blacklist should contain about 10% of the PIN space.

FROM THE RESEARCHER
“Because of the limited number of guesses, an attacker would have only 5 to 20 attempts to guess someone’s PIN. In such a setting, there is little extra security gained from 6-digit PINs. In fact, it seems that the weakest 6-digit PINs are weaker than the weakest 4-digit PINs. That is, people choose worse 6-digit PINs for the most guessable PINs than they would for 4-digit PINs. As a result, an attacker would probably find it easier to guess someone’s 6-digit PIN than someone’s 4-digit PIN if they only had a small number of tries.”

-Adam Aviv, associate professor of computer science at the George Washington University

PUBLICATION INFORMATION
The paper, “This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs” appeared at the 41st Institute of Electrical and Electronics Engineers Symposium on Security and Privacy.

To schedule an interview with Dr. Aviv or his co-authors from Ruhr University Bochum and Max Planck Institute for Security and Privacy, please contact Timothy Pierce at [email protected].