Everybody Stop Using 4-Digit PINs, Already
When it comes to security, there is always a trade-off between convenience and robustness. Facial recognition may be the easiest way to unlock your device, but is it really keeping your data safe? In the second Android 14 Developer Preview, Google has made some tweaks regarding PIN authentication. However, from a security perspective, it seems to be a case of two steps forward, one step back.
Although the major changes are not yet live, Android expert Mishaal Rahman has discovered a new toggle that will allow the user to enter a valid PIN code without manually submitting it. This increases convenience but also makes it easier for attackers to brute-force the final digit of the PIN. To minimize this risk, the toggle will not be available if the PIN isn’t at least six digits long. Google is also adding a message to advise users that longer PINs offer better security, but four-digit PINs are not yet banned altogether.
Recent reports have illustrated how easy it is for someone in possession of your phone to steal your entire Google account by guessing your PIN—this has prompted a re-evaluation of security protocols. While it may be harder to remember, six digits significantly increase the security of your PIN.
It remains to be seen if Google will modify this approach in a future release of Android 14, but if you want to try it out, the Developer Preview is available for download now.