1. A study of user-chosen 4- and 6-digit PINs collected on smartphones found that using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and may even decrease security against a throttled attacker.
2. Blacklists, which disallow "easy to guess" PINs during selection, are ineffective against a throttled guessing attack in both the enforcing and non-enforcing setting. A blacklist at about 10% of the PIN space may provide the best balance between usability and security.
3. Participants perceive the PINs they select under a blacklist as more secure without impacting memorability and convenience, except in situations of a very large blacklist.
The article provides a comprehensive study of user-chosen 4- and 6-digit PINs collected on smartphones with participants being explicitly primed for device unlocking. The study finds that using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security against a throttled attacker. The article also studies the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits as well as 6-digits. The study finds that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack.
The article provides guidance for developers on choosing an appropriately-sized PIN blacklist that can influence the security in the throttled scenario, finding that a 4-digit PIN blacklist needs to be about 10 % of the key space to have a noticeable impact. However, the article does not explore other potential solutions or counterarguments to this approach.
The article notes that all findings were responsibly disclosed to Apple Inc., but it is unclear if any action was taken based on these findings.
Overall, the article appears to provide valuable insights into the security of smartphone unlock PINs and the effectiveness of blacklists. However, it would benefit from exploring alternative solutions and considering potential biases or limitations in its methodology.