On the Security of Smartphone Unlock PINs

Philipp Markert, Da­ni­el V. Bai­ley, Maximilian Golla, Markus Dürmuth, Adam J. Aviv

ACM Transactions on Privacy and Security (TOPS '21).


In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists and compared them with six other blocklists, three for each PIN length. In each case we had a small (4-digit: 27 PINs, 6-digit: 29 PINs), a large (4-digit: 2740 PINs, 6-digit: 291,000 PINs), and a placebo blocklist that always excluded the first-choice PIN. For 4-digit PINs, we find that the relatively small blocklist in use today by iOS offers little to no benefit against a throttled guessing attack. Security gains are only observed when the blocklist is much larger. In the 6-digit case, we were able to reach a similar security level with a smaller blocklist. As the user frustration increases with the blocklists size, developers should employ a blocklist which is as small as possible while ensuring the desired security. Based on our analysis, we recommend that for 4-digit PINs a blocklist should contain the 1000 most popular PINs to provide the best balance between usability and security, for 6-digit PINs the 2000 most popular PINs should be blocked.


tags: au­then­ti­ca­ti­on, block­lists, mo­bi­le, PIN