Your IT: "Your account is now secured with a PIN, adding an extra layer of security to your account."
Your Users: "Great idea! I'll just use my credit card PIN, that way I will always remember my computer PIN too!"
PINs are often suggested as better than passwords when it comes to accessing devices, including by Microsoft as a fallback for biometrics with Windows Hello.
PINs can facilitate a quicker, more usable experience. Signing in with a shorter PIN code instead of a password might help somewhat with issues related to password usability and fatigue. Besides, PINs are often associated with specific device-PIN combinations, minimizing the risk of exposure if the PIN is compromised. However, when it comes to security, which one is the better choice - PINs or passwords? Neither.
Both PINs and passwords suffer from the same fundamental flaws - they rely on human beings to authenticate users. Like passwords, PINs are credentials that depend upon human memory and input, so in the end, there is no difference between the two since all connected services rely on passwords. Ultimately, both methods are inferior to passwordless authentication, and here is why.
Unpacking the common misconceptions about PINs
PINs almost always require manual data entry and most systems that use PINs specify a maximum number of login attempts before shutting down. This makes PINs resistant to brute force attacks. For a four-digit PIN, the intruder has only a .04% chance of success.
In addition, PINS such as those used with Windows Hello PIN is are backed by a Trusted Platform Module (TPM) chip, a neat crypto-processor, designed to carry out cryptographic operations. Many modern laptops have TPM to boost the security of Windows Hello PINS further.
Based on the above, some people go as far as to say that PIN security is actually better than password security.
However, while PINs do add another layer of security on top of passwords, they come with the same set of problems that plague passwords - humans, and their difficulty remembering long and complex combinations of digits and letters.
Why PINs don’t trump passwords
"It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works," according to Microsoft. In theory, because PINs are tied to a device they are considered safer.
The most common way to implement PINs in an enterprise setting is to link them to a physical asset, such as a desktop computer or a mobile device. The physical asset is the first factor, and the PIN provides an additional level of verification that authorizes the user.
The PIN, like biometrics, requires the operator to be physically in possession of the device, and manually interface with it. It would seem that the PIN is highly secure by design. However, in practice, PINs yield multiple vulnerabilities that can expose users to threat risks.
A PIN is theoretically unique to the machine it provides authentication for, but as just about every security professional knows, users will reuse the same PIN over and over. Most users will use the same PIN for all their devices, effectively negating the benefit of the PIN system which is only secure if people use different PINs for different devices. The problem is exacerbated by the fact that users use multiple devices to access their accounts.
Removing the underlying problem with PINs and passwords
PINs can be subject to the same set of IT management policies as passwords, such as complexity, length, expiration, and history. So, in theory, administrators can set policies for managed devices to require PIN complexity similar to a password.
The problem here, again, is the human factor: people will start using the PIN which is easiest for them to remember, aka their ATM PIN. Some technologies, such as Windows Hello, require mandatory use of PINs even if biometric identification is activated. So, in the end, the PIN is just another piece of data for users to forget or reuse and for threat actors to steal.
The best solution: eliminating PINs and passwords altogether in favor of passwordless authentication. By taking the human factor out of the picture, passwordless authentication that never stores fixed authentication credentials anywhere in the system, helps to reach levels of security that are not possible when human memory is involved.