No doubt you saw the coverage in the press recently about using emoji based PINs instead of numeric PINs.
The logic was that by increasing the character set, a PIN becomes much more secure. The suggested emoji character set had 44 emojis to choose from.
Yes, by moving from 0-9 numbers to 44 emojis, one does increase complexity, but this is completely the wrong message to communicate! Length is important too.
We already have a character set that is better than numeric PINs. It offers 104 characters to choose from and is already enabled in virtually every mobile & desktop computing device out there.
IT’S CALLED YOUR KEYBOARD!
…and it creates nice complex passwords for you to use. Maybe less practical to enter than a PIN when driving at 80 mph (but we don’t do that, do we) but you could choose your own limited character set to make it easy. Say lowercase only & 5 letters. That’s better than 4 emojis.
Now for some (loose) maths
Choosing 4 emojis from a set of 44 gives about 3.7 million combinations.
A 4 digit numeric PIN gives 10,000. Emoji win!
But all you have to do is make your PIN 7 digits and you’ve beaten emoji auth:
You get 10 million combinations with that, making for a PIN that’s 2.5 times stronger.
You didn’t have to learn anything new, you just used existing tech to make your PIN better.
Or use your keyboard: 5 lowercase letters from 26 gives about 12 million combinations. 3 times stronger than the 4 emojis.
Yes, there are some broader, valid points that raising emoji auth does help:
The worst possible PIN is no PIN at all. Getting people talking about implementing authentication on their mobile devices is a good thing.
Extending character sets for authentication is also a good point to raise, as it can massively increase password cracking time.
But you achieve similar by using local language characters. The £ (pound sterling) sign is a great example, as it only features on UK-related keyboards.
But in common use, I’ll bet we would see the same old fails with emoji PINs as with numeric PINs
1234 is a terrible PIN. Similarly choosing adjacent emojis on the keypad is also stupid.
Patterns also lead to trouble with PIN predictability, so choosing any PIN or emoji set that follows a line on the keypad or similar is bad.
There’s a great paper about predictability with Android PIN patterns
here.
It’s easier to press large buttons on numeric keypads with your fingers. Pressing 1 of 44 small emojis accurately is rather harder than 1 of 10 large numbers!
Conclusion
It’s great to get people talking about authentication, but using emojis is just plain silly when we already have plenty of very usable, effective PIN/password creation options already.
