The Signal secure messaging app has started forcing users to set a new PIN, popping up a nag dialog saying
Create a PIN
PINs keep information that's stored with Signal encrypted.
They've done a terrible job of communicating why they're doing this, so I went away and read a bunch of forum threads, GitHub tickets, blog posts and support documents and here's my own attempt at an FAQ more clearly answering the questions which immediately occurred to me when I got the nag dialog this morning.
What benefit do I gain by setting this PIN?
This new PIN makes sure your Signal account is kept safe from SIM hacks and mistakes by your phone provider.
Criminals often use SIM hacks or lie to mobile phone providers’ customer service. This can let them get your mobile phone number reassigned to their phone. Today they can then set up Signal on their phone, recieve the SMS verification code sent to your mobile number as part of Signal's setup, and connect to your Signal account. They can then start reading all your Signal messages from that moment onward. This is known as account hijacking.
Once you have set up a PIN, Signal can require that they enter both the verification code and the PIN before they can set up a new phone connected to your Signal account. By default, this registration lock feature won't be switched on, so you should switch it on after setting up your PIN.
In addition, Signal plans to start supporting a way to find contacts via some sort of username, rather than phone number. So eventually, you won't have to give people your phone number for them to be able to message you on Signal. To do this, they need to store contact information on their servers, and the PIN is used to keep that information secure.
The PIN is also used to encrypt information about contacts, groups, settings, and your profile, so that those things can be synced between your devices. The information is encrypted on the servers so that Whisper Systems don't have access to it.
How often will I have to enter this PIN?
Theoretically you should only need to enter the PIN when you set up a new device (like a new phone).
However, Signal will ask you to confirm the PIN periodically, just to make sure you remember it. The confirmation reminders will get less frequent each time you remember the PIN correctly, until they are 14 days apart. If you keep getting the PIN wrong, the reminders will get more frequent.
(This method for training you to remember the PIN is mostly for people who don't use password managers. You can use a text password rather than a numeric PIN if you prefer, and of course you can store it in a password manager. Unfortunately there's currently no way to turn the PIN reminders off completely.)
What happens if I forget the PIN?
The PIN isn't a screen lock PIN, it is not used to control whether you can use Signal. It's for securing connections from new devices to your Signal account, to prevent hijacking.
So as long as you still have access to a phone set up with Signal, you can change the PIN any time you like, and you don't need to know the old PIN in order to set a new one.
However, if you enabled protection from hijacking, can't remember the PIN and don't have a phone already set up with Signal, you won't be able to connect a new phone to your account for 7 days. Also, any synced data not on your phone will be lost when you re-register after the 7 days.
There is no way for Signal developers to recover a forgotten PIN.
Can't I use face scan, fingerprints or my phone's security?
You can continue to use your phone's security features to control access to the Signal app as you wish. This PIN isn't for that purpose. It's to prevent people from hijacking your Signal account, and is required because SMS isn't secure.
The PIN is also used to generate an encryption key used to secure your data on Whisper Systems’ servers. Biometrics can't be used to act as an encryption key for a number of reasons, including Apple not allowing access to the biometric data, biometrics being approximate rather than exact, and the inability to get a new face if you need to change the key!
What happens if I refuse to set a PIN?
Eventually it will be mandatory to set a PIN, so that Signal can be relied on to be reasonably secure from account hijacking. If people were allowed to skip protecting their account from hijacking, you would have no way to be confident that the person you were messaging hadn't been hacked.
This is stupid, other apps don't do this!
In fact, a number of other secure messaging systems have similar features.
Apple Messages locks setup of new phones by requiring login to your iCloud account. If you have other Apple devices, you also have to enter a code sent to one of those devices.
Keybase creates a code for you, and you then have to use that code (often scanned via QR code) to set up any new device. If you don't have any device set up, you lose access to your account unless you've stored a backup recovery code somewhere.
So is this a good idea or a bad one or what?
The feature of protecting your Signal messages from hijacking is definitely a good thing. I'm not sure I like this implementation, though (I kinda prefer Keybase's approach), and the way it has been communicated has been terrible.
Given that I kinda don't need to remember the PIN unless I get a new phone and don't have access to the old one, I think I'm OK with setting a value for this PIN and just seeing if I can remember it.
If it was a PIN needed for regular use of the Signal app it would be a bit of a deal-killer, but it isn't that.
What I think Signal really ought to do is make the features which require a PIN optional, and make it clear the dependency tree involved: