"I have no idea what they're trying to accomplish:" Enthusiastic and Casual Signal Users' Understanding of Signal PINs

TL;DR

This study explores how Signal users understand and manage PINs, revealing a split between enthusiasts and casual users, and suggests improved communication could enhance security awareness.

Contribution

It provides empirical insights into user behaviors and perceptions regarding Signal PINs, highlighting the need for better user education to improve security practices.

Findings

56% of users understand PIN purpose; 44% do not

Most enthusiasts use complex PINs stored in password managers

Casual users rely on short numeric PINs

Abstract

We conducted an online study with $n = 235$ Signal users on their understanding and usage of PINs in Signal. In our study, we observe a split in PIN management and composition strategies between users who can explain the purpose of the Signal PINs (56%; enthusiasts) and users who cannot (44%; casual users). Encouraging adoption of PINs by Signal appears quite successful: only 14% opted-out of setting a PIN entirely. Among those who did set a PIN, most enthusiasts had long, complex alphanumeric PINs generated by and saved in a password manager. Meanwhile more casual Signal users mostly relied on short numeric-only PINs. Our results suggest that better communication about the purpose of the Signal PIN could help more casual users understand the features PINs enable (such as that it is not simply a personal identification number). This communication could encourage a stronger security posture.