Philipp Markert

Daniel V. Bailey, Philipp Markert, Adam J. Aviv

We conducted an online study with $n = 235$ Signal users on their understanding and usage of PINs in Signal. In our study, we observe a split in PIN management and composition strategies between users who can explain the purpose of the Signal PINs (56%; enthusiasts) and users who cannot (44%; casual users). Encouraging adoption of PINs by Signal appears quite successful: only 14% opted-out of setting a PIN entirely. Among those who did set a PIN, most enthusiasts had long, complex alphanumeric PINs generated by and saved in a password manager. Meanwhile more casual Signal users mostly relied on short numeric-only PINs. Our results suggest that better communication about the purpose of the Signal PIN could help more casual users understand the features PINs enable (such as that it is not simply a personal identification number). This communication could encourage a stronger security posture.

Raina Samuel, Philipp Markert, Adam J. Aviv et al.

Knock Codes are a knowledge-based unlock authentication scheme used on LG smartphones where a user enters a code by tapping or "knocking" a sequence on a 2x2 grid. While a lesser used authentication method, as compared to PINs or Android patterns, there is likely a large number of Knock Code users; we estimate, 700,000--2,500,000 in the US alone. In this paper, we studied Knock Codes security asking participants to select codes on mobile devices in three settings: a control treatment, a blocklist treatment, and a treatment with a larger, 2x3 grid. We find that Knock Codes are significantly weaker than other deployed authentication, e.g., PINs or Android patterns. In a simulated attacker setting, 2x3 grids offered no additional security, but blocklisting was more beneficial, making Knock Codes' security similar to Android patterns. Participants expressed positive perceptions of Knock Codes, but usability was challenged. SUS values were "marginal" or "ok" across treatments. Based on these findings, we recommend deploying blacklists for selecting a Knock Code because it improves security but has limited impact on usability perceptions.

Philipp Markert, Daniel V. Bailey, Maximilian Golla et al.

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists compared them with four other blocklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blocklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blocklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blocklist at about 10% of the PIN space may provide the best balance between usability and security.