So my son's daycare has changed their entry method from an RFID card to a 4-digit pin. To open the door, you have to enter a 4 digit pin (you choose your pin, it is not assigned). There is no other metric tying the pin to the person. This is the only entry verification. Once you enter a correct pin at the main door, you have access to the entire building, there are no other doors or security within the building. You don't even have to walk by a person (ie reception).
What is the probability of getting into the building by guessing a random 4 digit code?
I know I need to get more information:
- Number of pin's
- Are the pins unique?
- Are they filtering out dumb ones (ie 1234)
- How many wrong attempts do I get?
- Anything else I should ask? If so, how will that affect things?
I would like to meet with them to discuss my concerns. Could someone help with the math so I can factor in the above as I get the information? I will probably create a spreadsheet and put in the numbers as i'm having the meeting.
Am I overthinking this? [Damn it Jim,] I'm an engineer not a mathematician, but my gut tells me it is insecure…
Thanks in advance.
Best Answer
This has been fleshed out in the comments, but I'll write this in the spirit of contributing an answer to this question.
This is one of those probability problems where it's easier to consider the chances of something not happening than having it happen. Suppose there are $N$ possible codes, of which $k$ work (hence, $N-k$ don't work). If a nefarious actor guesses by entering codes randomly, then the chance of getting the code wrong on the first try is $(N-k)/N$; hence, the chance of getting it right on the first try is $ 1- \frac{N-k}{N} = k/N$.
If they get to try a second time, then they're probably smart enough to discard their first wrong answer. There are still $k$ working codes, but there is now one less incorrect code to try, and one less code overall to consider. Thus, their chances of getting the code wrong twice are $\frac{N-k}{N} \cdot \frac{N-k-1}{N-1}$, and their chances of getting the code right at least once in their first two attempts is $1 - \frac{N-k}{N} \cdot \frac{N-k-1}{N-1}$.
You can hopefully see how this generalizes at this point. If they get $r$ tries at the code, then the probability of not opening the door becomes $$\frac{(N-k)(N-k-1) \cdots (N-k-r+1)}{(N)(N-1) \cdots(N-r+1)}$$ and thus the probability of them opening the door somewhere before that is the above subtracted from 1. If we wanted to express this compactly, we could use factorial notation; the probability of opening the door within the first $r$ attempts would be $$1 - \frac{(N-k)!/(N-k-r)!}{N!/(N-r)!}.$$
So, to make this more concrete: it is probably the case that any 4-digit number can be used as a code, and that the order of the digits matters, which would imply that $N = 10,000$ for this example. If we assume there are $k = 100$ valid codes, and the intruder can have $r = 3$ attempts, then the probability that they can get in is $$1 - \frac{9900!/9897!}{10000!/9997!} \approx 3\%$$ as discussed in the comments. See this link for a calculator that you can edit to reproduce these computations quickly.
Having only one code helps, but I'd argue the most important thing is probably to ensure that there's a practical cap on the number of attempts. If there are just five working codes but the user gets 100 tries at it, the probability of entry is almost 5%. (You can see this with the above link, or just by realizing that the intruder gets to try 100 different codes from among the 10,000 possible codes.) Notice that if something like a 10-second delay is placed between guesses, this would
As a fellow parent, I definitely share you concern about this situation, but (as I pointed out in the comments as well) there are advantages and disadvantages of this approach over an RFID card. A card could be dropped on the ground or stolen, which a PIN cannot. However, someone could disclose the PIN inappropriately, or a bad actor could watch over someone's shoulder, or they could use context clues like fingerprints or smudges to identify keys that are likely part of the code.
I find myself wondering if your real concern may not be with the PIN code, but rather the day care's commitment to security. If that's the problem, it won't be fixed by any security measure imaginable. You might ask them why they've made this switch. (Is it just for cost?) Have they carefully thought through the ramifications and risks of the switch? Are they able to articulate the relative strengths and weaknesses of the two methods? I think what you're looking for is evidence that anyone has put any thought into this.
My gut instinct is that a would-be bad guy is unlikely to sit there and guess codes for long, and that they would be more likely to try surveillance to obtain the code, entering through a window, or some other means of accessing the building. (I'm not an expert in security and have no real basis for that statement.) If the day care is flippant about security, then they could have a bank vault lock on the front door and it probably wouldn't stop a breach from happening.
So if it were me having a conversation with the day care about this, I'd ask them why they made this change, and I'd be looking not for some particular answer, but rather for them to have some convincing evidence that they've carefully considered this.
And man, it'd be nice if they had a receptionist.