This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
2020Conference / Journal
Authors
Philipp Markert Maximilian Golla Markus Dürmuth Daniel V. Bailey Adam J. Aviv
Research Hub
Research Hub D: Benutzerfreundlichkeit
Research Challenges
RC 11: End-users and Usability
Abstract
In this paper, we provide the first comprehensivestudy of user-chosen 4- and 6-digit PINs (n=1220) collectedon smartphones with participants being explicitly primed fordevice unlocking. We find that against a throttled attacker (with10, 30, or 100 guesses, matching the smartphone unlock setting),using 6-digit PINs instead of 4-digit PINs provides little to noincrease in security, and surprisingly may even decrease security.We also study the effects of blacklists, where a set of “easy toguess” PINs is disallowed during selection. Two such blacklistsare in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared themwith four other blacklists, including a small 4-digit (27 PINs), alarge 4-digit (2740 PINs), and two placebo blacklists for 4- and6-digit PINs that always excluded the first-choice PIN. We findthat relatively small blacklists in use today by iOS offer littleor no benefit against a throttled guessing attack. Security gainsare only observed when the blacklists are much larger, whichin turn comes at the cost of increased user frustration. Ouranalysis suggests that a blacklist at about 10 % of the PIN spacemay provide the best balance between usability and security.