Widely Reused and Shared, Infrequently Updated, and Sometimes Inherited: A Holistic View of PIN Authentication in Digital Lives and Beyond

TL;DR

This study explores how users choose, share, reuse, and update PINs across various assets, revealing that memorability often outweighs security concerns and that PINs are rarely updated even after compromise.

Contribution

It provides a holistic view of PIN usage behaviors, highlighting the prevalence of PIN reuse, inheritance, and the lack of updates, with insights for improving human-device security interactions.

Findings

Memorability is the primary criterion for PIN choice.

PIN updating is infrequent, even after compromise.

Users often reuse and inherit PINs without proper updates.

Abstract

Personal Identification Numbers (PINs) are widely used as an access control mechanism for digital assets (e.g., smartphones), financial assets (e.g., ATM cards), and physical assets (e.g., locks for garage doors or homes). Using semi-structured interviews (n=35), participants reported on PIN usage for different types of assets, including how users choose, share, inherit, and reuse PINs, as well as behaviour following the compromise of a PIN. We find that memorability is the most important criterion when choosing a PIN, more so than security or concerns of reuse. Updating or changing a PIN is very uncommon, even when a PIN is compromised. Participants reported sharing PINs for one type of asset with acquaintances but inadvertently reused them for other assets, thereby subjecting themselves to potential risks. Participants also reported using PINs originally set by previous homeowners for physical devices (e.g., alarm or keypad door entry systems). While aware of the risks of not updating PINs, this did not always deter participants from using inherited PINs, as they were often missing instructions on how to update them. %While aware of the risks of not updating PINs, participants continued using these PINs, as they were often missing instructions on how to update them.Given the expected increase in PIN-protected assets (e.g., loyalty cards, smart locks, and web apps), we provide suggestions and future research directions to better support users with multiple digital and non-digital assets and more secure human-device interaction when utilizing PINs.