Your IT: “Your account is now secured with a PIN, adding an extra layer of security to your account.”
Your Users: “Great idea! I’ll just use my credit card PIN, and now I will always remember my computer PIN too!”
Many security managers have struggled with similar exchanges in recent years, as the business world continuously examines added security layers for employees and users alike.
PINs are often suggested as an easier and safer way to access devices (including by Microsoft as a fallback for biometrics with Windows Hello.)
A PIN delivers a faster, more usable experience. Signing in with shorter PIN code instead of a password might help somewhat with password usability and fatigue. Besides, PINs are often associated with a specific device–PIN combinations, minimizing the risk of exposure if the PIN is compromised. However, when it comes to security, which one is the better choice – PINs or passwords? (TLDR: neither)
Both PINs and passwords suffer from the same fundamental flaws – they still rely on human beings and “something they know” to authenticate users. Ultimately there isn’t a difference since all connected services rely on passwords, and a PIN is still just “something you know.” Both methods are inferior to passwordless authentication, and here is why.
“It isn’t the structure of a PIN (length, complexity) that makes it better than a password, it’s how it works.” Microsoft
So let’s examine, shall we?
Why are PINs considered safer?
In theory: PIN is tied to the device
The most common way to implement PINs in an enterprise setting is to link them to a physical asset, such as a desktop computer or a mobile device. The physical asset is the first factor, and the PIN provides an additional level of verification that the user is authorized to use it.
The PIN, like biometrics, requires the operator to be physically in possession of the device, and manually interface with it. It would seem that the PIN is highly secure by design.
In practice: PINs are reused across devices
“so the assumption is that people are going to use different pins for different devices….like they use different passwords for different accounts…oh wait…”
PIN is theoretically unique to that machine, but as just about every security professional knows, the users will reuse the same damn PIN over and over. Most users will use the same PIN for all their devices, effectively negating the benefit of the PIN system.
The problem is exacerbated by the fact that users use multiple devices to access their accounts.
In theory: PINs can be complex
PINs can be subject to the same set of IT management policies as passwords, such as complexity, length, expiration, and history. So, in theory, administrators can set policies for managed devices to require a PIN complexity similar to a password.
In Practice: CAN is the keyword
The problem here, again, is the human factor: people will start using the PIN, which is easiest for them to remember, aka their ATM PIN.
In theory: PINs are easier for users to remember
PINs are shorter, and therefore easier for most users to memorize.
In practice: Users will forget their passwords
If anything, daily use of PINs makes it more likely for users to forget their passwords and might, therefore, even increase helpdesk needs.
Also, with Windows Hello, there isn’t an option not to use PINs “under the hood” if any biometric ID is activated. So, in the end, the PIN is just another piece of data for users to forget or reuse and for threat actors to steal.
And the winner is: passwordless authentication
PINs almost always require manual data entry and most systems that use PINs specify a maximum number of login attempts before shutting down. This makes PINs resistant to brute force attacks. For a four-digit PIN, the intruder has only a .04% chance of success.
In addition, the Hello PIN is backed by a Trusted Platform Module (TPM) chip, a neat crypto-processor, designed to carry out cryptographic operations. All Windows 10 Mobile phones and many modern laptops have TPM to boost the security of Windows Hello PINS further.
Based on the above, some people go as far as to say that PIN security is actually better than password security.
However, while PINs do add another layer of security on top of passwords, they come with the same set of problems that plague passwords – humans, and their difficulties at remembering long and complex combinations of digits and letters.
In any case, both access methods suffer from the same basic problems solved by passwordless authentication – usability without compromising security. By taking human memory out of the picture altogether, passwordless MFA helps to reach levels of security that are not possible when humans are involved.