What will retire the PIN code?
The common 4-digit PIN is 48-years old and alone is not secure enough to authenticate yourself with your apps, devices, services and even your house alarm. But is there a better alternative?
Bet that you have already advised your grandmother to change her lockscreen PIN to something else than 1234, 0000, or even 5683 (spells LOVE). If you feel that this is not enough for you, here are some of the other options available already or emerging at the horizon.
Try 6, but don’t use a date
The international standard for security in retail banking allows PINs from 4 to 12-digits, but alsо states that due to usability reasons the maximum length could be 6 digits. This happened to be the length envisioned by the PIN’s inventor John Shepherd-Barron but his wife could remember only 4 digits and so this became the most commonly used length nowadays.
The 4 digits combinations are 10 000, but the bad guys can crack 20% of them in a few seconds.
However adding more digits only is not sufficient to make a PIN hard-guessable. In fact it worsens the situation. Studies have found that the greater the number of digits required, the more predictable selections become. Because for most people it is hard to remember a random long number sequence (say 9 or 15 digits) and so they chose one that can remember. Easy to remember generally makes it predictable. If you can figure out and remember a 6-digit number that breaks the most common patterns – go for it.
Password is too complicated
Passwords with at least 8 characters combining letters (at least one caps), numbers and special symbols are considered to be the most difficult to crack. But it takes too long to enter with a smartphone keyboard and it is easy for you to make a mistake and to have to enter it again. That could be really frustrating sometimes, especially when you are in a hurry.
Pattern is fast
Swiping a pattern with your finger is faster than entering a PIN or password, so many people use this method – at least for unlocking the phone’s screen. But it could be traced and guessed too. Just sit and watch as your 5-year old child figures it out how to unlock your phone alone. How many attempts did she need?
The world’s first emoji passcode has been launched last month. The British startup Intelligent Envoirmants behind it says that it is 500 times more secure than a standard 4-digit PIN code. And it is more intuitive for the millennials. After all it is not the most secure method but sure it is the most entertaining one. 🙂
You are the password
Adoption of the biometrics on smartphones is expected to boost the mobile payments worldwide and fingerprints seemed to be the easiest to implement. In the world of smartphones Motorola did it first – in 2011 with the Android-based Atrix phone. Two years later the fingerprint unlocking of the phone hit mainstream as Apple introduced TouchID in its iPhone 5s. HTC and Samsung followed. And now fingerprint ID technology is at the core of Apple Pay and Android Pay. But it’s not so difficult to fake a fingerpint or to steal its data copy from the phone.
Facial recognition entered the phone with the Face Unlock feature in Android 4.1 Ice Cream Sandwich. Unfortunately its scanner could be tweaked by showing a printed picture of your face. Currently facial recognition is used for the Trusted Face feature at the Smart Lock, which came with Android 5.0 Lollipop recently. But as the technology evolves it slowly leaves the experimental area and enters maturity. Soon it could require you to make a goofy face or to blink with your eyes.
Voice recognition is the other option the developers are playing around with these days. For example Google is pushing voice commands more and more as a core part of Android, with devices like the Nexus 6 having always-on voice recognition.
Google’s Smart Lock already offers “Trusted Voice” as addition to “Trusted face”, “Trusted device”, “Trusted places” to bypass the lock screen based on how you say “OK Google.” But even Google warns that it is not so secure as a traditional lock screen or password.
High hopes are put on the iris scan security technology as the Android-based Arrows NX F-04G was announced at MWC 2015. The phone and the underlying iris scanner are developed by Fujistu for the Japanese provider NTT DoCoMo and is already available at the Japan market for approximately $750.
After your iris has been mapped once, the Iris Passport feature needs half a second to unlock your phone when you just look at it. Also it can be used with any applications that require a password, or for payment authentication.
There is on one to rule them all – take the multi-factor approach
Biometrics themselves have the same basic flaw of traditional passwords — they’re a single point of failure. For sure their use will be increasing, but it should always be in tandem with at least one other security method.