Entities within the US Federal Government are in the midst of a drastic change regarding how they approach the services they are using—moving away from traditional on-prem and proprietary systems to cloud services based on private platforms, like Azure and Amazon Web Services. However, the requirements for security remain the same regardless of the platform being used.
This can result in some confusion with those who do not have extensive experience working within the publications provided by the National Institute of Standards and Technology (NIST). One element which often comes up is the requirements around the complexity and length of Personal Identification Numbers (PINs) used to authenticate functions on phishing-resistant multi-factor authentication (MFA) tools, including security keys like the YubiKey.
PINs and memorized secrets
PINs are commonly used in many aspects of our lives today; anyone with a debit card regularly provides their PIN during any transaction withdrawing money from their accounts. In the world of NIST guidance, PINs fall under a class of authenticators referred to as memorized secrets. Memorized secrets also include passwords and passphrases; essentially, something you memorize and provide as part of your authentication flow.
Traditionally, PINs are considered to only be comprised of numeric characters. However, this is not a requirement as presented by NIST—any alphanumeric character is considered acceptable. The primary differentiating factor is how a PIN is used.
Unlike passwords or passphrases, PINs are used to authenticate locally to a device, like a smart card or FIDO2 authenticator, and are not typically used to access external services. Malicious entities attempting to hijack or fraudulently use a PIN would need access to the device associated with said PIN, increasing the complexity of such an attack.
Memorized secrets are allowed for low security services, but are also often part of a MFA flow in conjunction with a hardware authenticator in high-security environments. Regardless, the requirements for the length and complexity of a memorized secret remain the same.
Basic requirements for memorized secrets
NIST has defined basic characteristics all memorized secrets have to follow, regardless of if they are a passphrase, password or PIN. The goal of these requirements is to provide a uniform level of security across environments, allowing for objective analysis of risks and threats.
One of the key differences in the NIST guidance when compared to password security policies from the past is a move away from an emphasis on complexity and rotation. As noted in NIST Special Publication 800-63B, Appendix A — Strength of Memorized Secrets:
Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.
In place, NIST guidance emphasizes the importance of unique values for memorized secrets which are easy for users to remember, and not forced to be excessively long or complex. PINs have an advantage of further being authenticated locally on a device like a WebAuthn Authenticator or PIV Smart Card, and requires physical access.
Creating compliant PINs
The key metric NIST spells out for PINs, as well as any memorized secret, is the minimum length. The actual minimum PIN length differs depending on if it was created by a user, or generated as a random string by a Credential Management System (CMS). The maximum length is not defined but it is encouraged that users do not create excessively long values, as that can lead to risky user behaviors. Furthermore, a denylist of commonly used values should be utilized to prevent easy to guess values from being used—for example, “12345678” should never be accepted!
For a user-defined PIN, the length must be at least 8 characters. Characters can be any alphanumeric character, but special characters are discouraged. The value of the PINs should not have any information tied to the identity of the user, such as Employee ID, SSN, phone number and the like. Compliant PINs should also not have any information directly related to the authenticator, including the serial number or other identifiers.
PINs should only be cycled when it is believed there is a chance they have been compromised. These cases can include when they are entered in an unsecured environment, viewed by someone other than the user or exposed online.
Compliant PINs are often generated by a credential management system (CMS) or other automated process. In this case, values for PINs require a minimum length of only 6 characters. The same restrictions as user entered PINs still apply. PINs should not be saved anywhere by the CMS – the values should be only known to the authorized user.
Securing PINs with modern MFA
Complex rules for the creation and rotation of PINs, passwords and other memorized secrets have proven to be more of a hindrance for legitimate users than protections against malicious entities. Modern direction for securing services emphasizes policies focused on ensuring uniqueness, but also easy to remember secrets paired with phishing-resistant MFA – creating a better, more secure experience for users.
YubiKeys offer the best of both worlds when combined with compliant PINs – the best available security against phishing attacks and account takeovers, as well as the best user experience. At their core, shared secrets are vulnerable to cyberattacks like phishing, but establishing the trust relationship between PINs and security keys allows for the authentication mechanism to be based on unique public and private keypairs that perform a secure asymmetric cryptographic ceremony. The authentication ceremony can never be performed without the private key, which to be truly secure, must be stored in hardware that can be attested and not be exportable.
To learn more about how phishing-resistant MFA tools like security keys can help strengthen your security posture beyond PINs, check out more information here.