Gfyuki

What are the general criteria for rejecting an insecure PIN to access a building?

There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.

I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.

Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.

There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, it'll only take n/100000 tries on average to find a working code, where n is the number of people with access.

It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.

So, how to solve this?

1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.


2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)


3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.

PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.

You appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult to change information that can be easily copied and shared, the public gains access to the inside of your building.

The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.

Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.