Our position is that, with the right authentication underpinnings – based on cryptography – a PIN is better than a password, and we’ll explain why.
Let’s first consider how a PIN can be like a password.
We concede that PIN and a Password have certain similarities. They each:
- Are something the user will know and must remember.
- Are something the user will keep secret, and will not share (or should not share, if he/she hopes to keep secure whatever the PIN or Password is intended to protect).
- Can be quite similar in format – A PIN can be a set of digits like 342894, but enterprise policy might require complex PINs that include special characters and letters, both upper-case and lower-case – which can make a PIN seem very much like a Password (at least in format and complexity).
So, how are a PIN and a Password different?
The answer lies in how they’re used.
A Password typically resides both in the mind of the user, and is also stored in some form (typically in a database) at the site, server or application the user wishes to authenticate to.
The user enters his/her password when challenged to do so, and it is sent across a network to a site or server, to be compared against the copy of the user’s password it keeps on file.
If the server’s copy of the user’s password matches what was transmitted, the user is considered legitimate, and can perform whatever functions or work the site offers.
However, this brings to light two common attack vectors that have plagued the use of passwords for a long time – being transmitted across the network, and existence of a stored password copy on the destination server.
Users typically must remember, and must regularly change each of their unique password for each of (typically 70-80 or more) sites he/she might need to access. To do this, the user must successfully log into each site to be able to change his/her password for that site.
About a PIN
With Passwordless Authentication, the user’s PIN is tied to the device – it never leaves the user’s computer. This is a very important distinction. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign-in as you from any device, but if they steal your PIN, to be able to do anything with it they’d have to steal your physical device too!
Even you cannot use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up a PIN on each device.
Being local to the device, the PIN is never transmitted anywhere; a copy of it is not stored on the site or server you want to authenticate to – so, unlike a password, it can’t be attacked by “sniffing” network traffic. It also can’t be attacked if the destination Site’s database is breached, since there is no copy of the user’s PIN stored . It also protects against users being tricked into entering their credentials into fake “look-alike” sites. That eliminates very common account attack vectors we mentioned above – ones that have plagued the use of Passwords – observing/sniffing the network, attacking the site or its database directly or tricking users into divulging their passwords (often through phishing eMails).
When you enter your PIN, it unlocks the authentication key, which can then be used to authenticate with the remote server.
Because SecureDoc Passwordless Authentication uses asymmetric (Private/Public) key pairs, users’ credentials cannot be stolen in cases where the identity provider or websites the user accesses have been compromised. The only thing stored at the destination site is a Public key provided by the user’s authenticator, which by itself cannot be used to attack the user’s account.
Safely stored inside the user’s device is the user’s Private Key, and it stays exactly that… PRIVATE.
Using a PIN saves time over Passwords. Here’s why:
Since the device will be performing your authentication (again using Private/Public Keys) you only need to remember one PIN for the device, which in the case of SecureDoc PA can then be used for passwordless login to multiple sites. That one PIN unlocks your secure access to all the sites you need.
If you compare that to using passwords, you would:
- Need a separate password for each site (it’s a weak security posture to use the same password on multiple sites).
- Need to rotate or change each of those 70-80 passwords on a regular basis, to protect against being sniffed or guessed (a risk that grows the longer a given password is kept).
- Need to log in to each site successfully to be able to change your Password for that site. That alone adds up to a lot of unproductive time – and it will only keep your access “somewhat safe” for the next 30-60-90 days, or whatever your password retention rules are… but ultimately you’ll need to repeat this unproductive and frustrating exercise again near the end of every retention cycle.
With a PIN, you don’t need a different PIN for each web site, server or application you want to authenticate to. You can change your one PIN as you wish, or according to company policy… but there’s only one PIN to change.
One PIN will do fine to secure the access to all your sites. You can change it rapidly and easily whenever required or desired, AND without needing to authenticate to any of the sites you would normally access. Remember the PIN is only known by the computer you use to access those sites, and those sites know nothing about your PIN.
The PIN is, usually, backed by hardware
The PIN can be backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who might want to capture the key material and reuse it.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked for a period of time before the user may again attempt to enter the PIN.
A PIN can be complex, or can be simple
If desired, the PIN can be complex, containing special characters, uppercase characters, lowercase characters, and digits. More importantly the PIN can be simple and easy to enter. A 6 or 8 digit PIN is all that is required in most cases to be secure, and this can in fact be much more secure than a long and very complex password (see below)
On the surface, a PIN looks much like a password. A PIN can be a set of digits like 342894, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like a83873B# could be an account password or a complex PIN. It isn’t the structure of a PIN (length, complexity) that makes it better than a password, it’s how it works.
Using a PIN with the right cryptography-based authenticator (like SecureDoc Passwordless Authentication):
- It provides stronger, more secure authentication than a password traversing a network/stored on a distant server
- It is dramatically easier to manage: Since your PIN is only known to your computer, you can change it easily, whenever you want to, without impacting downstream sites, or having to log into them.
- It is easier to remember – you only need to remember one PIN, versus typically 70-80 or more passwords.