Bootstrapping Mobile PINs Using Passwords

We describe a method of deriving PINs from passwords. The method is useful to obtain friction-free user onboarding to mobile platforms. It has significant business benefits to organizations that wish to introduce mobile apps to existing users – but which are reluctant to make the users authenticate with passwords. From the user’s perspective, a PIN is easier to enter than a password, and a derived PIN does not need to be remembered – assuming the user can recall her password. The use of tiered authentication – relying on both PINs and passwords – hardens systems against compromise. This is because transactions relying on PINs can have lower transaction limits and flagging thresholds than transactions authenticated using passwords. Even though our PINs are derived from passwords, they do not contain sufficient information about the passwords to make the passwords easy to infer from compromised PINs. We quantify exactly how much information about the passwords and the derived PINs contain, and how much information is lost – based on reallife password distributions. We also assess the usability of the proposed method using one 25-subject qualitative study and one 100-subject quantitative study. Keywords-bootstrapping, dropbox, entropy, malware, password, PIN.