1

I noticed that a lot of high-risk websites, such as bank and payment platforms, do not use a passwords for authentication (as usual) but instead use a PIN code where the numbers are placed at random positions each time, like on this one:

enter image description here

What is the point with this authentication method? Any advantages or disadvantages compared to traditional passwords?

My guesses are:

  • Attack by keylogger is not possible.
  • Attack by bruteforce / rainbow tables / social engineering are more difficult.
schroeder
  • 123,438
  • 55
  • 284
  • 319
Mxsky
  • 193
  • 2
  • 12
  • 2
    Somewhat related question: http://security.stackexchange.com/questions/100945/is-there-any-way-my-password-is-hashed-if-im-only-ever-asked-to-provide-5-out/ – paj28 May 06 '16 at 11:31

2 Answers2

5

This is to a large extent just security theater. It forces users to hop through a couple of hoops in the name of security, and thereby make them feel secure since they expended effort in the name of security.

That said, it does in fact defeat a simple key logger (since no keys are pressed) or a mouse click logger (since knowing the coordinates of a mouse click will not give you any information about what number was clicked).

However it does not protect against more sofisticated attacks. If someone has managed to install a keylogger on your computer, it is effectively game over. It is not longer your computer. If someone can install a keylogger, they can also install a program that hooks into your browser and logs everything being entered into a text or password field, or all outgoing HTTP and HTTPS requests before they are encrypted with TLS. Just like a keylogger, malware like this does not need to be targeted against a specific site to work.

In addition, they come with a number of security downsides (apart from the usability):

  • They are more vulnerable to "shoulder surfing", as the screen is harder to hide than the keyboard.
  • Since only numbers are allowed in this case, it limits the number of possible passwords and therefore makes brute force attacks easier. There are about 2000 million different passwords with six alphanumeric characters. There are 10 million different passwords with six numberic characters.

One upside, as techraf mention in comments, is that you avoid revealing smudge marks on touch devices.

Anders
  • 64,406
  • 24
  • 178
  • 215
2

This sort of thing makes a lot more sense on a touchscreen of some kind, or a physical interface. I've seen pictures of PIN pads on doors that do similar shuffling using light-up numbers under each key instead of physically painted or molded lettering. I'm not in a position in my life where I've actually encountered that level of security outside of pictures, though.

Anyway, in those venues, it can prevent fingerprints or screen smudges from giving away the passcode, since there is no way to know what numbers were underneath the fingerprints or smudges when the software-defined "keys" were pressed. It's less useful on a PC with a mouse, however since the Internet world is "going mobile", and with tablets or hybrid devices becoming more popular, the chances of your site loading on a touchscreen are getting better and better.

Ben
  • 3,846
  • 1
  • 9
  • 22