On the Security of Smartphone Unlock PINs
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, Adam J. Aviv
ACM Transactions on Privacy and Security (TOPS '21).
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists and compared them with six other blocklists, three for each PIN length. In each case we had a small (4-digit: 27 PINs, 6-digit: 29 PINs), a large (4-digit: 2740 PINs, 6-digit: 291,000 PINs), and a placebo blocklist that always excluded the first-choice PIN. For 4-digit PINs, we find that the relatively small blocklist in use today by iOS offers little to no benefit against a throttled guessing attack. Security gains are only observed when the blocklist is much larger. In the 6-digit case, we were able to reach a similar security level with a smaller blocklist. As the user frustration increases with the blocklists size, developers should employ a blocklist which is as small as possible while ensuring the desired security. Based on our analysis, we recommend that for 4-digit PINs a blocklist should contain the 1000 most popular PINs to provide the best balance between usability and security, for 6-digit PINs the 2000 most popular PINs should be blocked.[Website]