This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, Adam J. Aviv
IEEE Symposium on Security and Privacy (SP '20). San Francisco, California, USA, May 18-20, 2020.
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for the situation of device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security.
We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists compared them with four other blocklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blocklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blocklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blocklist at about 10% of the PIN space may provide the best balance between usability and security.[Website] [Video] [Paper] [Slides]