Abstract
Entering digits of a personal identification number (PIN) is a common form of authentication. One variant of this scheme is to request the digits from a random subset of positions, which is sometimes called a partial PIN. In this paper we consider strategies for guessing the PIN when a partial PIN scheme is in use, which allows the quantification of the strength of this mechanism. We suggest several strategies for guessing the PIN under the assumption that the organisation assigns PINs randomly and requests random positions from the PIN at each login. We present analytic and simulation results from the different strategies and explore their performance when guessing different sizes of PIN and requested subset. We find that the most effective strategies have a reasonable chance of recovering a PIN in tens to hundreds of guesses.
Funder
Science Foundation Ireland
Subject
General Physics and Astronomy
Reference16 articles.
1. “Give me letters 2, 3 and 6!”: Partial password implementations and attacks;Aspinall;Proceedings of the International Conference on Financial Cryptography and Data Securitym,2013
2. Investigating the distribution of password choices;Malone;Proceedings of the 21st International Conference on World Wide Web,2012
3. Guessing Hu man-cho Sen Secrets;Bonneau;Ph.D. Thesis,2012
4. This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs;Markert;Proceedings of the IEEE Symposium on Security and Privacy,2020
5. The security of access to accounts under the PSD2