IPhone's New PIN Rule Makes a Point About Apple's View of Security

As Apple Pay grows, the security of Apple's mobile devices becomes more critical. With fingerprint identification built into every new iPhone built since 2013, why is Apple now strengthening its rules for PIN authentication?

The upcoming version of the Apple mobile operating system, iOS 9, will raise the minimum lock-screen PIN length to six digits, compared with the four-digit minimum in place today.  There's a good reason for this: Despite Apple's focus on its biometric Touch ID system, fingerprint authentication is still optional for all logins. Thus, even with Touch ID enabled, a cyberthief still needs to only get a user's PIN to get full access to an Apple device.

Cracking a PIN with software, or simply guessing it, is made far more difficult when the PIN is even two characters longer than the current default. IPhone users are still vulnerable to shoulder-surfing or choosing a PIN that is too obvious (such as 123456), but Apple's change makes a significant difference in protecting a device that is increasingly linked to sensitive payment data.

However, the time it took Apple to enable this change – which still does not take effect until it releases iOS9 in October – and the poor communication of it speak to Apple's views on security. Apple is all about the experience and anything that interferes with that experience, such as security, takes a back seat to other features. Apple's increased rhetoric around security reflects increased scrutiny of its technology in the wake of last year's iCloud nude photo leaks and the more recent issues with how banks approve cards for use in Apple Pay.

But even this change to PIN security was only possible on Apple's terms because of the widespread use of Touch ID. On a Web page explaining the change, Apple said: "The passcodes you use on your Touch ID–enabled iPhone and iPad will now have six digits instead of four. If you use Touch ID, it’s a change you’ll hardly notice. But with one million possible combinations — instead of 10,000 — your passcode will be a lot tougher to crack."

Although six digits is certainly more secure, it may end up making little difference to cyberthieves, who are increasingly looking for alternatives to the brute-force cracking of passwords, said Avivah Litan, a vice president and analyst at Gartner.

"Obviously six digits is stronger security than four, but in the end, cyberthieves who record keystrokes in order to capture passwords don't care if it's four, six or 24 digits," she said. "Making it six digits instead of four just strengthens the fortress against low-tech attacks."

Anyone looking for that detail would have to hunt for it; security still seems to be a low priority in Apple's marketing. When Apple executives on June 8 presented details of iOS 9 at Apple's annual Worldwide Developers Conference, not one mention was made of the PIN change. Apple also did not mention it in a news release detailing quite a few iOS 9 changes. It was only later, in a very lengthy page about iOS9 on Apple's site, did Apple even mention the PIN change and, even then, it was the 39th change mentioned in a list of 43.

But that's how Apple views security. The Apple rationale is that customers must get comfortable with technology and then make it a habit. Once consumers accept the new technology, security can slowly—and quietly—be ratcheted up later.

Litan added that these changes could have another impact, which could strengthen security indirectly. By making the PIN that much more complicated, it will encourage shoppers to use the (now even more convenient, by comparison) Touch ID, "which Apple is also no doubt improving for accuracy and ease of use," she said.

Apple is also adding two-factor authentication in iOS9, but only in very limited situations, specifically when signing in from a new browser or a new device. When that happens, users "will be prompted for a verification code. This code is automatically displayed on your other Apple devices or sent to your phone," Apple said on its website.

Why not use that two-factor authentication for Apple Pay purchases above a pre-determined dollar value? Or when making a password change or when accessing other sensitive information?

The Touch ID situation is more problematic. One of the advantages of Touch ID is that sharply reduces how often a shopper is forced to key in their PIN, which is the best way to thwart shoulder-surfing by literally reducing the number of opportunities to steal the PIN. Touch ID is also a fundamentally more secure authentication technique than a PIN, especially a 4-character PIN. But there are many reasons for Touch ID to fail. Apple's choice was to either let a Touch ID failure kill the transaction or allow it to default to the PIN.

Security argues for that transaction to then die, but user experience argues to use the PIN. For Apple Pay to succeed, Apple can't let the authentication process be an intrusion.