Should you trust your Mobile PIN?
At YeshID, we are obsessed with making identity and access management as simple as possible. Authentication is an important part of the problem. You know, authentication–that password you must enter multiple times a day? At YeshID, we’re making authentication as easy as tap and go, no passwords! Like Apple Pay.
Is that kind of thing secure? The Wall Street Journal has recently published an article about iPhone theft leading to the loss of thousands of dollars drained from Apple Pay and other financial apps on the device from which money can be extracted by the thieves. The article tells the story of one victim sitting in a bar. A thief hovers near, watching as they unlock their iPhone with a PIN code. (It’s unclear from the article why they didn’t use biometrics; it’s possible the attacker stole the phone momentarily to disable biometrics with too many incorrect tries – only takes a second.) Once they’ve seen the PIN the thieves steal the phone, lock the user out by changing the iCloud password, and scan through the phone for financial details and PROFIT!
This raises the question: is it safe to use iPhone (or Android) to authenticate to work, bank, and other sensitive accounts? We all do it, but is it safe?
For this attack to work, a few things must happen:
- The thief must have physical access to the victim.
- The thief must observe the PIN being entered.
- The thief must steal the phone and use the PIN to change the iCloud password before the victim can respond.
- The victim must have Apple Pay, bank accounts, or other financial apps that the thief can defraud.
Should you be worried? Are PINs bad? Let’s ask the following questions:
- How scalable is this attack?
- Are physical security keys better?
- Should we get rid of PINs altogether?
How scalable is this attack?
Scalability matters. A scalable attack, such as phishing, means many bad actors and many victims. This attack requires physical access to the victim’s phone and observing the victim unlocking their phone in a particular way – using the PIN. The resources required for this attack make it opportunistic by nature and impossible to scalable.
Are physical security keys better?
Sure, but. Physical security keys like Yubikey increase digital security. The user must press it or bring it in immediate proximity (using NFC, like a contactless credit card) to authenticate. This authentication method is highly phishing-resistant. If a server is hacked, all credentials are safe thanks to public-private encryption. Not true with passwords. The friction a physical security key adds is usually used to confirm significant actions, like a completely new login. (Technically, these are called “destructive” actions. But let’s not be quite that technical.)
Apple recently introduced support for security keys, before allowing actions like changing iCloud password. Normally, an active trusted Apple device and a PIN were sufficient to change the iCloud password. When using security keys, this is not enough.
Security keys require that the thief steal not just the phone but also the key. This increases friction dramatically for thieves (yay), but the friction means users will choose not to use it to unlock their devices–if they can–, because that happens a lot; you know how often! And users will lose access to their accounts if they lose the security key. That’s enough friction to make it unlikely anyone will want to carry one around for everyday, non-significant, non-destructive actions.
Regardless, security keys are not used when using Apple Pay, which means that if the attack is executed before the user can report the device is lost, a security key will not help. According to the article, the thief could complete the attack in minutes. Probably before the victim ever noticed their phone is missing. If you did need to authenticate with the security key every time you buy coffee, it would make the key equally likely to be stolen with the phone.
Should we get rid of PINs altogether?
iPhones have FaceID. FaceID is more secure than fingerprints, so better than a PIN. Why don’t we get rid of the PIN, then?!
PIN, FaceID, and fingerprint act as proof of life. A real person is using the device, and this person knows (or is) a secret needed to unlock it. These secrets never leave your device, so you must register them on each device separately.
The PIN is a low-friction form of local-password. Unlike the complex and long passwords that you can’t remember (you are using them, aren’t you?), your 4-6 digits PIN is quick and easy to enter. Biometrics are safer than a PIN, but they are more flakey and can fail in various conditions (Fingerprints don’t work well with gloves on, FaceID with sunglasses or bad lighting.) A PIN is a safe fallback. To put this another way: biometrics are a convenient feature for quickly unlocking your phone and are no more secure than a PIN (ever seen that movie where the guy kills the other guy, takes their phone, and uses their face or finger to unlock it? Doesn’t work with PINs!) They can prevent phone thieves from accessing your phone and do that very well, but they are not a replacement for your account (iCloud or Google) password. Getting rid of the PIN will reduce your ability to unlock your phone easily.
In 2016, Apple reported that the average iPhone user unlocks their phone 80 times a day, and 89% of them use PIN or TouchID. More recent statistics are all over the place, from 96 (every ~10 minutes) to over 344 times a day. FaceID takes about 0.6 seconds to unlock a device and requires no interruption, whereas PIN takes about 2 seconds. More importantly, the user experience of FaceID is intuitive and unobtrusive, while a PIN is not. Just try disabling biometrics for a few days.
So, why does Apple allow you to change the all-important iCloud password using just the PIN? The answer is it doesn’t. It allows changing the all-important iCloud password using the PIN and an active, trusted device. Meaning this device is, in fact, no different from a Yubikey that is always with you. Until it’s stolen. The trade-off is always security and usability.
No, we should not get rid of PINs. It is a secure way to authenticate to the device physically.
If you’re worried about physical attacks – I strongly encourage considering security keys, and storing them in a safe place. Perhaps also consider investing in bodyguards or jiu-jitsu classes.
I strongly recommend increasing your PIN to 6 digits and making sure nobody is hovering behind you when you do enter your PIN. Use biometrics!–It is fantastic UX and security.
At YeshID, we allow users to authenticate using passkey, which feels no different from Apple Pay: a safe, completely passwordless way to authenticate. We’re sure you and your colleagues will love it.
P.S. – love your colleagues as much as we do
We’ve heard horror stories from users, telling us “my company forces the PIN to be alphanumeric.” Maybe they are a very high-value target, in which case this might be a good idea. More likely, someone in IT doesn’t have enough empathy for their colleagues.
How many times do you fat-finger your PIN? Let’s say 1-in-10 times you miss pressing the correct 6 digits from a screen of 10 large digits.
Now, imagine a full QWERTY keyboard with an alphanumeric PIN password on your phone. What would your error rate be now? Even if you’re a two-thumb-typer how long will it take you to type a password? 5 seconds? 10? 20?
Security and usability are a trade-off. At YeshID we’re obsessed with user experience and we absolutely refuse to sacrifice security, which is why we tweak every bit of user friction to the specific context. No, really, it’s our core value: Innovate until experience & security exist in harmony. We love our users and we think you’ll love what we do.