Users can set up a PIN for the messaging app Signal. However, many users are unclear what benefit this offers. This was shown in a survey by the Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum and the George Washington University. Signal uses the PIN for an encrypted cloud backup of contact details, settings and profile information as well as – on request – to authenticate the user when they first log in. However, almost half of the respondents assumed that there was another purpose, such as that the PIN would be used to unlock the app.
The researchers collected data from 235 Signal users, mainly from Germany, the USA and the United Kingdom, from the beginning of September to the beginning of November 2020. The results of the online survey are being presented at the USENIX Symposium on Usable Privacy and Security by Daniel Bailey and Philipp Markert from HGI together with the US researcher Adam Aviv. It takes place from 8 to 10 August as a virtual conference. The data is available in advance as a freely accessible preprint.
Many people do not know what the PIN is for
14 per cent of respondents had not used a PIN in Signal. The main reason that most of them gave was that this was too laborious. Among the remaining respondents, 43 per cent were unable to state correctly what Signal uses the PIN for. They also often assigned short PINs that only consisted of numbers. The 57 per cent of respondents who did actually know the purpose of the PIN often used complex alphanumeric passwords, which they saved in a password manager.
Communication not suitable for new target groups
“The communication from Signal appears to mainly work for users who seek information about the functioning of the app in forums and blogs,” says Philipp Markert from the Mobile Security Research Group at HGI. “Many of the users who switched to Signal in early 2021 due to a change in the WhatsApp terms of use presumably do not belong to this group.”
Security could benefit from optimised user communication: It could be helpful, for instance, to not talk about a PIN as this encourages users to enter a short series of numbers, the authors of the study say. They suggest a name such as “account recovery password”, which would describe the purpose and show users that they are not limited in their choice of characters.
Clearer communication with users could also help to avoid unpleasant surprises. Unlike WhatsApp, for instance, Signal does not automatically create a backup of all messages. This feature first has to be activated in the settings.
Expanded blocklist would offer more security
An expanded blocklist that prevents users from assigning particularly popular PINs would also offer greater security. “Signal has already implemented a short blocklist, which prohibits especially weak PINs consisting of numbers, such as those that are comprised of several of the same number, or ascending sequences of numbers such as 1234,” explains Philipp Markert. However, popular combinations such as years would be possible. The researchers thus considered an expanded blocklist to be sensible. This should also exclude frequently-used passwords, such as the word “password.”
Why PINs are useful in Signal
In contrast to other messaging services, Signal promises greater privacy, such as by not saving messages and contacts centrally in an unencrypted form. Such data was not saved centrally at all in the past, but instead only on users’ smartphones. This meant that all of the data was lost if someone started using a new device. In order to offer a restore service, Signal introduced Secure Value Recovery at the end of 2019. This feature allows the data saved in the cloud to be restored when a mobile phone is changed. It is stored in an encrypted form – it can only be decrypted with the PIN.
Signal has also been using the same PIN for what is known as the Registration Lock since March 2018. If users log into the service for the first time, they are sent an SMS to confirm that they have access to the registered mobile number. This process can be secured with the PIN so that no one who intercepts the SMS can register with another number.
The researchers informed Signal about their results before publication.
Funding
The work was supported by the National Science Foundation (grant number 184530), the State of NRW as part of the research group “Human Centered Systems Security” and the German Research Foundation as part of the cluster of excellence Cyber Security in the Age of Large-Scale Adversaries, CASA (EXC 2092 – 390781972).
Original publication
Daniel V. Bailey, Philipp Markert, Adam J. Aviv: “I have no idea what they’re trying to accomplish:” Enthusiastic and casual Signal users’ understanding of signal PINs, USENIX Symposium on Usable Privacy and Security (SOUPS), 2021, Virtual Conference, Download Preprint
Press contact
Philipp Markert
Mobile Security Research Group
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 28669
Email: philipp.markert(at)rub.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.
