As it is now, digits are shuffled just once at the start. This means PIN entropy is just 9!/(9-n)!, where n is the length of the PIN. Moreover, since a hacker with a keylogger would know which digits are repeated, adding an already-used digit doesn’t make your PIN any safer against such an attack.
However, if digits were shuffled on the display before entering every single digit, entropy would be 9^n, a much bigger number, and repeating digits would be of no concern.
For comparison, the entropy of a 5-digit PIN is just 15,120 with one-time shuffling (and no repeated digits) and 100,000 with multiple shuffling (with or without repeated digits).
Why doesn’t Trezor use multiple shuffling?
How would it be possible for a keylogger to catch the PIN that’s typed on the Trezor device? It’s never sent to the computer.
Using Trezor One. Forgot to mention that.
hacker with a keylogger wouldn’t figure out the PIN as you use blind matrix on the screen. For every dot on this matrix there is a corresponding random number shown on your Trezor and for every prompt the numbers will shuffl.
So you have to check your Trezor screen for actual layout.
I understand this. What I mean is the numbers are only shuffled once for the whole PIN, so if the same digit is used twice the hacker will know. This reduces entropy a lot.
I didn’t redo your calculations but they look correct.
But the lowered entropy of PIN is not actually a problem in practice. Consider your attacker:
- either they’re an evil maid and want to sweep your Trezor without you knowing – in that case, they cannot brute-force the PIN because they only get 16 attempts, exponential backoff, AND you know that someone’s been trying to get in. (Alternately, they get like one attempt per day.) In such case 15 120 possibilities is large enough.
(same applies for a regular thief who is not a hardware hacker, just wants to get in)
- or they want to steal your Trezor, destructively open it and extract the private keys via the Kraken attack – in which case they can completely skip the keylogger part and just brute-force all 9^9 PINs in an hour on a GPU.
A recent update increases the maximum length of PIN to 50 characters – and brute-forcing 9^50 isn’t so great anymore. So your argument would apply here.
However, the true reason why there’s no multiple shuffling shows up here: UX. It turns out that the PIN matrix method is complicated enough as is. Shuffling after every digit makes it measurably more difficult, and conversely more error-prone and/or longer. Entering a 50-digit PIN is enough of a hassle, you want the chances of making a mistake as low as possible.
This problem unfortunately doesn’t have a good solution without on-device entry.
Not to mention when the display is so small and fingers too big, so I keep missing the numbers.