What colour is your PIN?

I was getting some cash out of the hole-in-the-wall a while back and was presented with the usual warning about keeping my PIN safe by guarding it with one hand while blocking the view with my body and making aggressive noises at anyone that happened to pass by. Why are we still using a security system that is so easy to circumvent? Why do I need to be wary of anyone looking over my shoulder, or of the cashier whenever I use my Chip And Pin card?

I began to wonder if it might be possible for someone to see me enter my PIN, but still not actually know what it is. What if my secret code wasn’t solely tied to the numbers on the keys, but to some other variable as well? What if there was a means of entering my code, which wouldn’t require me to type in the same number twice – and would actually be likely to fail if I did?

The idea I came up with involves adding an additional parameter to each key on the keypad. For simplicity I’ve used colour. The idea is that the colours of the keys are randomised each time you have to enter a PIN – perhaps even each time you press a key – and that your “PIN” will actually consist of a combination of numbers and colours. Consider the keypad below:

1 2 3
4 5 6
7 8 9
* 0 #

On this keypad you can see the usual numbers and characters that you might expect to find, but each has a coloured background. Let’s pick a simple four-character PIN – 1234 – and see what that could actually be interpreted as:

  • 1,2,3,4
  • 1,2,3,Green
  • 1,2,Blue,4
  • 1,2,Blue,Green
  • 1,Green,3,4
  • Yellow,Green,Blue,Green

In fact there are sixteen possibilities – which means that if someone looks over your shoulder and sees you type “1234” they would still need to know which of the sixteen combinations was the valid one, because the next time someone uses the keypad the colour coding will have changed to something else.

To set your code in the first place you simply have to enter it twice: the terminal would switch the colours between each entry so that every number is given a different colour to the one it had previously. The machine then checks each digit of your “PIN” – if the number is the same in both entries then the digit is stored as a number, if the colours are the same then the digit is stored as a colour, if neither match then there is a mismatch between the two codes.

I’ve hacked up a little script to let you try this for yourself (follow the link below). Pick a code consisting of numbers and/or colours, then punch it into the two keypads. Click on the “Reveal Code” button and you can see that the computer is able to determine your code just by entering it twice. If you reload the page you will also notice that the arrangement of colours is randomised each time, so the same “code” will probably require different numbers to be pressed.

Click here for a demonstration of setting a PIN+Colour code
(note: This works on Firefox, but I make no guarantees about any other browser)

So how would this idea manifest itself in the real world? Cashpoints are relatively easy as most of them have a colour screen these days – their code simply needs to be updated to display a coloured version of the keypad on-screen for reference. Chip And Pin terminals would be harder, but using illuminated pushbuttons, or buttons with integrated LEDs could do the job.

For people with colour-vision deficiencies this is no worse than the current system as they can always pick a number-only PIN. That said, through careful choice of colours (after all, only three are used in the demonstrations) it should be possible to cater even for the majority of people with such issues.

There’s no reason why this idea should be limited to numeric keypads and PINs. With an on-screen keyboard (or an Optimus Maximus) showing the key colours, this could be expanded to work with your computer’s login screen as well. The secondary part of the code doesn’t have to be colour, either – it could be a shape, an image, a movement or something else. So long as the locations of the secondary part(s) are randomised between login attempts, or between keypresses, it becomes harder for an attacker to simply re-use the “password” they saw you type in earlier.