This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

@article{Markert2020ThisPC,
  title={This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs},
  author={Philipp Markert and Daniel V. Bailey and Maximilian Golla and Markus D{\"u}rmuth and Adam J. Aviv},
  journal={2020 IEEE Symposium on Security and Privacy (SP)},
  year={2020},
  pages={286-303}
}
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy… 
Double Patterns: A Usable Solution to Increase the Security of Android Unlock Patterns
TLDR
Double Patterns (DPatts), a natural advancement on Android unlock patterns that maintains the core design but instead of selecting a single pattern, a user selects two patterns entered one-after-the-other super-imposed on the same 3x3 grid, is proposed.
Let's Take it Offline: Boosting Brute-Force Attacks on iPhone's User Authentication through SCA
TLDR
This work performs the first publicly reported physical Side-Channel Analysis (SCA) attack on an iPhone in order to extract the hardware-fused devicespecific User Identifier (UID) key, showing that an attacker being able to query arbitrary many chosen-data encryption/decryption requests is a realistic model, even for compact systems with advanced software protections.
Knock, Knock. Who's There? On the Security of LG's Knock Codes
TLDR
It is found that Knock Codes are significantly weaker than other deployed authentication, e.g., PINs or Android patterns, and recommends deploying blacklists for selecting a Knock Code because it improves security but has limited impact on usability perceptions.
Widely Reused and Shared, Infrequently Updated, and Sometimes Inherited: A Holistic View of PIN Authentication in Digital Lives and Beyond
TLDR
It is found that memorability is the most important criterion when choosing a PIN, more so than security or concerns of reuse, as well as behaviour following the compromise of a PIN.
On Smartphone Users’ Difficulty with Understanding Implicit Authentication
TLDR
Evaluating how Android's Smart Lock (SL), which is the first widely deployed IA solution on smartphones, is understood by its users suggests that users often have difficulty understanding SL semantics, leaving them unable to judge when their phone would be (un)locked.
Password-free Authentication for Smartphone Touchscreen Based on Finger Size Pattern
TLDR
This study introduces a novel authentication methodology based on pattern recognition of fingers size and pressure when users touch smartphone screen, and presents three new approaches: an exact-range evaluation approach, a pattern-range approach and a new technique reliance on size frequency position.
"I have no idea what they're trying to accomplish: " Enthusiastic and Casual Signal Users' Understanding of Signal PINs
TLDR
Better communication about the purpose of the Signal PIN could help more casual users understand the features PINs enable (such as that it is not simply a personal identification number) and encourage a stronger security posture.
A Matrix for Systematic Selection of Authentication Mechanisms in Challenging Healthcare related Environments
Passwords continue to dominate the authentication landscape, while One Time Passwords (OTPs) provided by apps are increasingly used as second factor. Even though several alternatives are developed,
Prototyping Usable Privacy and Security Systems: Insights from Experts
TLDR
The challenges faced by researchers in this area such as the high costs of conducting field studies when evaluating hardware prototypes, the scarcity of open-source material, and the resistance to novel prototypes are identified.
“The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 Digits
TLDR
The results indicate that forcing users to upgrade to 6-digit PINs offers limited security improvements despite adding usability burdens, and system designers should carefully consider this tradeoff before requiring upgrades.
...
...

References

SHOWING 1-10 OF 57 REFERENCES
Understanding Human-Chosen PINs: Characteristics, Distribution and Security
TLDR
This work conducts a systematic investigation into the characteristics, distribution and security of both 4-digit PINs and 6- digit PINs that are chosen by English users and Chinese users, and reveals that Zipf's law is likely to exist in PINs.
On the Impact of Touch ID on iPhone Passcodes
TLDR
Overall, it is found that users do not take an advantage of Touch ID and use weak unlocking secrets, mainly 4-digit PINs, similarly to those users who do not use Touch ID, and there is a disconnect between users’ desires for security and the reality.
A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs
TLDR
It is found that guessing PINs based on the victims’ birthday will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234.
Towards Baselines for Shoulder Surfing on Mobile Authentication
TLDR
It is found that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks, and 6-length Android patterns, with one observation, were found to have an attack rate of 64.2%.
Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock
TLDR
An advanced guessing algorithm is developed and quantified the strength of the patterns using the partial guessing entropy and finds that guessing the first 20% of patterns for both 3x3 and 4x4 can be done as efficiently as guessing a random 2-digit PIN.
It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception
TLDR
It was found that on average, participants spent around 2.9 % of their smartphone interaction time with authenticating, and participants that used a secure lock screen like PIN or Android unlock patterns considered it unnecessary in 24.1 % of situations.
PIN selection policies: Are they really effective?
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance
TLDR
A negative effect on password security could be observed as users fall back to using passwords that are easier to enter on the respective devices as a result of the influence of mobile devices on authentication performance and password composition.
Quantifying the security of graphical passwords: the case of android unlock patterns
TLDR
This paper systematically improves the security of the Android Unlock Pattern by finding a small, but still effective change in the pattern layout that makes graphical user logins substantially more secure.
Smudge Attacks on Smartphone Touch Screens
TLDR
This paper examines the feasibility of smudge attacks on touch screens for smartphones, and focuses on the Android password pattern, and provides a preliminary analysis of applying the information learned in a smudge attack to guessing an Android passwordpattern.
...
...