Your Password is Your New PIN

Abstract

This chapter will describe a method of deriving new PINs from existing passwords. This method is useful for obtaining friction-free user onboarding to mobile platforms. It has significant business benefits for organizations that wish to introduce mobile apps to existing users who already have passwords, but are reluctant to authenticate the users with the existing passwords. From the user’s perspective, a PIN is easier to enter than a password, and a derived PIN does not need to be remembered—assuming the user has a password and can recall it. In addition, even though the PINs are derived from passwords, they do not contain sufficient information to make the passwords easy to infer from compromised PINs. This, along with different transaction limits for PINs and passwords, makes the derived PINs more useful in a situation where users have to enter their PINs in public. We describe real-life password distributions to quantify exactly how much information about the passwords the derived PINs contain, and how much information is lost during the derivation. We also describe experiments with human subjects to qualitatively and quantitatively show that the user-side derivation method is easy to use.