On the Security of Smartphone Unlock PINs

In this article, we provide the first comprehensive study of user-chosen four- and six-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using six-digit PINs instead of four-digit PINs provides little to no increase in security and surprisingly may even decrease security. We also study the effects of blocklists, where a set of “easy to guess” PINs is disallowed during selection. Two such blocklists are in use today by iOS, for four digits (274 PINs) as well as six digits (2,910 PINs). We extracted both blocklists and compared them with six other blocklists, three for each PIN length. In each case, we had a small (four-digit: 27 PINs; six-digit: 29 PINs), a large (four-digit: 2,740 PINs; six-digit: 291,000 PINs), and a placebo blocklist that always excluded the first-choice PIN. For four-digit PINs, we find that the relatively small blocklist in use today by iOS offers little to no benefit against a throttled guessing attack. Security gains are only observed when the blocklist is much larger. In the six-digit case, we were able to reach a similar security level with a smaller blocklist. As the user frustration increases with the blocklists size, developers should employ a blocklist that is as small as possible while ensuring the desired security. Based on our analysis, we recommend that for four-digit PINs a blocklist should contain the 1,000 most popular PINs to provide the best balance between usability and security and for six-digit PINs the 2,000 most popular PINs should be blocked.

[1]  Aydin Aysu,et al.  iTimed: Cache Attacks on the Apple A10 Fusion SoC , 2021, 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[2]  Lip Yee Por,et al.  A systematic review of PIN-entry methods resistant to shoulder-surfing attacks , 2021, Computers & security.

[3]  Adam J. Aviv,et al.  Using a Blocklist to Improve the Security of User Selection of Android Patterns , 2021, SOUPS @ USENIX Security Symposium.

[4]  Amir Moradi,et al.  Let's Take it Offline: Boosting Brute-Force Attacks on iPhone's User Authentication through SCA , 2021, IACR Cryptol. ePrint Arch..

[5]  Lujo Bauer,et al.  Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements , 2020, CCS.

[6]  Adam J. Aviv,et al.  Widely Reused and Shared, Infrequently Updated, and Sometimes Inherited: A Holistic View of PIN Authentication in Digital Lives and Beyond , 2020, ACSAC.

[7]  Adam J. Aviv,et al.  This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[8]  Lewei Li,et al.  A Quest for Inspiration: How Users Create and Reuse PINs , 2020 .

[9]  Konstantin Beznosov,et al.  Towards Understanding the Link Between Age and Smartphone Authentication , 2019, CHI.

[10]  Adam J. Aviv,et al.  Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters , 2019, Proceedings 2019 Workshop on Usable Security.

[11]  Maximilian Golla,et al.  On the Accuracy of Password Strength Meters , 2018, CCS.

[12]  Blase Ur,et al.  "What was that site doing with my Facebook password?": Designing Password-Reuse Notifications , 2018, CCS.

[13]  Adam J. Aviv,et al.  Comparing Video Based Shoulder Surfing with Live Simulation , 2018, ACSAC.

[14]  Elissa M. Redmiles,et al.  A Summary of Survey Methodology Best Practices for Security and Privacy Researchers , 2017 .

[15]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[16]  Ping Wang,et al.  Understanding Human-Chosen PINs: Characteristics, Distribution and Security , 2017, AsiaCCS.

[17]  Maximilian Golla,et al.  EmojiAuth: Quantifying the Security of Emoji-based Authentication , 2017 .

[18]  Florian Alt,et al.  On quantifying the effective password space of grid-based unlock gestures , 2016, MUM.

[19]  Sergei Skorobogatov,et al.  The bumpy road towards iPhone 5c NAND mirroring , 2016, ArXiv.

[20]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[21]  Marte Loge,et al.  On User Choice for Android Unlock Patterns , 2016 .

[22]  Adam J. Aviv,et al.  Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock , 2015, ACSAC.

[23]  Melanie Volkamer,et al.  Exploring mental models underlying PIN management strategies , 2015, 2015 World Congress on Internet Security (WorldCIS).

[24]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[25]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[26]  Konstantin Beznosov,et al.  On the Impact of Touch ID on iPhone Passcodes , 2015, SOUPS.

[27]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[28]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[29]  Heinrich Hußmann,et al.  Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance , 2014, NordiCHI.

[30]  Brian C. Stanton,et al.  I Can't Type That! P@$$w0rd Entry on Mobile Devices , 2014, HCI.

[31]  Antti Oulasvirta,et al.  Text Entry Method Affects Password Security , 2014, ArXiv.

[32]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[33]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[34]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[35]  Saif Mohammad,et al.  CROWDSOURCING A WORD–EMOTION ASSOCIATION LEXICON , 2013, Comput. Intell..

[36]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[37]  Jun Ho Huh,et al.  PIN selection policies: Are they really effective? , 2012, Comput. Secur..

[38]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[39]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[40]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[41]  Sonia Secher Wichmann,et al.  Self-Determination Theory: The Importance of Autonomy to Well-Being across Cultures. , 2011 .

[42]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[43]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.