This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
This research addresses smartphone security for users and developers by revealing limitations in common PIN policies, though it is incremental as it builds on existing blocklist and throttling concepts.
The study analyzed the security of user-chosen 4- and 6-digit PINs on smartphones, finding that 6-digit PINs offer little to no improvement over 4-digit PINs against throttled attackers, and current iOS blocklists provide minimal security benefits unless expanded to about 10% of the PIN space, which balances usability and security.
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists compared them with four other blocklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blocklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blocklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blocklist at about 10% of the PIN space may provide the best balance between usability and security.