The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs

Over the last decade, several proposals have been made to replace the common personal identification number, or PIN, with often-complicated but the- oretically more secure systems. We present a case study of one such system, a specific implementation of system-assigned one-time PINs called PassGrids. We apply various modifications to the basic scheme, allowing us to review usabil- ity vs. security trade-offs as a function of the complexity of the authentication scheme. Our results show that most variations of this one-time PIN system are more enjoyable and no more difficult than PINs, although accuracy suffers for the more complicated variants. Some variants increase resilience against obser- vation attacks, but the number of users who write down or otherwise store their password increases with the complexity of the scheme. Our results shed light on the extent to which users are able and willing to tolerate complications to au- thentication schemes, and provides useful insights for designers of new password schemes.