It’s suggested we use 14-character passwords with numbers, letters, and symbols, and we change this password every 90 days. It’s also suggested this isn’t very secure. I like big numbers, and a 14-character password using all the available characters on our keyboard puts the number of possible combinations at 1.4e+103, or 1 with over a hundred 0s behind it. That´ll be tough to break. So, when we look at a four-digit PIN code, which has only 10,000 possible combinations, how could that possibly provide more security? On its own, it doesn’t, but when used the right way and with a second factor, it can provide the highest levels of security.

When we use PIN codes, they are almost always used with something else. When making a purchase or withdrawing cash from an ATM, we use the PIN code with a bank card. This is a very common example of two factor authentication (2FA). There is a knowledge-based factor and a possession-based factor. We could use passwords in these instances, but it’s not necessary to go to the same lengths because in this application, the PIN codes are tied to bank cards, and without the bank cards, PIN codes are useless. This is the case with all 2FA that involves a possession-based factor.

There are several options to consider when using two factors. They can be broken down fairly comprehensively into three categories; possession, knowledge, and inherent/biometric. Combining any two of these factors is significantly stronger than a password, often because social engineering and phishing become utterly ineffective, but also because now there are two barriers to entry as opposed to one. Within those categories, we have even more choice. For instance, a user could possess a Smart card, SIM card, phone, tablet, or any device that can communicate with a computer. The biometric options are growing too, with behavioral biometrics presenting interesting options, some providers claiming they can take hundreds of different human characteristics into play.

Biometrics can appear to be as secure as it gets. You can’t tell someone your face or how you walk, you can’t be tricked into giving someone your fingerprint or how you hold your phone. So how can a simple four-digit PIN compete with that? Well there’s something a PIN can do that biometrics can’t. In the context of Public Key Infrastructure (PKI), there’s a public key that anyone can use, and a private key, that only you should have. Often with possession based 2FA, like Smart cards or USB keys, your private key is right there in your wallet or on your key chain, and almost impossible to crack. This combined with a password or PIN is considered the top end of security.

Phones aren’t considered as strong as security tokens, so we’re reluctant to store keys there. If not on a phone or physical token, we store our keys on servers and request access to them when we need them. The concern here is if the server is breached or there’s an insider attack (more common than you’d think), the keys are vulnerable. As I’ve written before, biometrics compare what you provide them (a face, fingerprint, etc.) to a template, and if you’re close enough to that template, your key is released for use. This means your key is not truly protected by your biometric property, it is protected by another key secured by the device, a device we heavily rely on. This is great when it comes to dedicated security hardware like USB keys, Smart Cards, or Hardware Security Modules in servers, not so great when it’s a run of the mill mobile phone.

A PIN code, if used wisely, can be cryptographically tied to your private key; no need to store it or another key for decryption. It can actually be part of the encryption that protects your key. This means that when your key is used to sign in or verify a transaction, it had to be your PIN that was used. Only the correct PIN can allow the right signature to be created, with no risk that your key was stolen and used without your input. Your private key is unidentifiable in a sea of 9,999 other keys; a needle in a stack of identical needles.

This means that if you can split up your private key into individually worthless pieces, you can keep one of these pieces on a phone, encrypted with a PIN impossible to steal or identify - an assurance biometrics cannot provide. And if the key is split, the user can always be in possession of one part of their key, rendering the rest of their key, stored securely on a server or leaked on the dark web, completely useless.

@MaxCvdP