Ruhr-Uni-Bochum

The Same PIN, Just Longer: On the (In)Security of Upgrading PINs from 4 to 6 Digits

2022

Conference / Journal

Authors

Elena Korkes Miles Grant Alexandra Nisenoff Collins W. Munyendo Adam J. Aviv Blase Ur Philipp Markert

Research Hub

Research Hub D: Benutzerfreundlichkeit

Research Challenges

RC 11: End-users and Usability

Abstract

With the goal of improving security, companies like Apple have moved from requiring 4-digit PINs to 6-digit PINs in contexts like smartphone unlocking. Users with a 4-digit PIN thus must "upgrade" to a 6-digit PIN for the same device or account. In an online user study (n=1010), we explore the security of such upgrades. Participants used their own smartphone to first select a 4-digit PIN. They were then directed to select a 6-digit PIN with one of five randomly assigned justifications. In an online attack that guesses a small number of common PINs (10–30), we observe that 6-digit PINs are, at best, marginally more secure than 4-digit PINs. To understand the relationship between 4- and 6-digit PINs, we then model targeted attacks for PIN upgrades. We find that attackers who know a user's previous 4-digit PIN perform significantly better than those who do not at guessing their 6-digit PIN in only a few guesses using basic heuristics (e.g., appending digits to the 4-digit PIN). Participants who selected a 6-digit PIN when given a "device upgrade" justification selected 6-digit PINs that were the easiest to guess in a targeted attack, with the attacker successfully guessing over 25% of the PINs in just 10 attempts, and more than 30% in 30 attempts. Our results indicate that forcing users to upgrade to 6-digit PINs offers limited security improvements despite adding usability burdens. System designers should thus carefully consider this tradeoff before requiring upgrades.

Tags

Usable Security and Privacy
Behavior
Understanding and Transforming Security and Privacy Behaviors