Probabilities

[HCHTech]

Ok, I had a slow afternoon, I admit it. This morning, one of my guys was putting in the 14th 2FA code of the day and commented that "there sure seem to be a lot of 2FA codes with duplicate numbers in them - I wonder how close these things are to truly random?"

It seems to me that the odds of this outcome are pretty high (having 2 of the digits match in a 6-digit code), but for sure this is a calculable thing. I spent an embarrassing amount of time trying to find the formula for calculating a probability like this, but came up empty.

Just trying to think through the problem a bit:

We have 6 digits, each of which could be between 0 and 9.
This means there are 10^6 possible outcomes for a six-digitcode.
Any digit has a 1 in 10 change of being any particular number.
If we assume the first digit is "1", then the odds that there will be another 1 somewhere in the following 5 digits would be .1+.1+.1+.1+.1, or 50%. I think -haha

BUT, we're not trying to calculate the odds of getting two 1's, but rather that there are ANY two digits that match, which makes me think I need a ^10 in there somewhere.

We're also NOT trying to calculate the odds that there would be ONLY 1 pair of matching digits, that would require the addition of the chance any digit would NOT match (9/10).

One of you folks did better in statistics than I did, I'm sure. How do I calculate this correctly?

 

[Computer Bloke]

It's easier if you work it backwards - what's the probability that there are no duplicate digits? (By "duplicate" I mean the same digit appearing two or more times in any position.)

Let's generate all the numbers without duplicate digits. For the first digit you have a choice of any of the ten. For the second, any of nine. And so on. That gives you 10*9*8*7*6*5 = 151,200 possible 6-digit numbers with no duplicate digits.

So the probability that there are no duplicate digits in a 6-digit number is 0.1512, and so the probability that there's at least one digit appearing at least twice in any random six-digit number is 0.8488. In other words, it'll happen a lot more often than not.

Now get back to work.

 

[Markverhyden]

It's easier if you work it backwards - what's the probability that there are no duplicate digits? (By "duplicate" I mean the same digit appearing two or more times in any position.)

Let's generate all the numbers without duplicate digits. For the first digit you have a choice of any of the ten. For the second, any of nine. And so on. That gives you 10*9*8*7*6*5 = 151,200 possible 6-digit numbers with no duplicate digits.

So the probability that there are no duplicate digits in a 6-digit number is 0.1512, and so the probability that there's at least one digit appearing at least twice in any random six-digit number is 0.8488. In other words, it'll happen a lot more often than not.

Now get back to work.

I see that all the time. Of course I don't know which method each site is using to create those 6 digit codes. But I did a quick check of one site I use where I get those codes by emails. All 10 of the last ones I got sent had at least 1 pair with almost half having 2 pairs matching. But the real important statistic is not how often they happen but of guessing and entering the correct code with in the allotted time. And since most of them sunset the code after 3-6 failed attempts it's a moot point in my book.

 

[HCHTech]

Now get back to work.

Hahahahaha! Indeed. Thanks for pointing to the solution. I invariably take the long, complicated road when looking at a problem the first time - I have other redeeming qualities, though!

 

[alexsmith2709]

It seems you arent the only one to wonder this. Heres an article from a few years ago https://www.wired.com/story/2fa-randomness/

 

[HCHTech]

That was an interesting article - thanks!

 

[NviGate Systems]

One company has a shelf of lava lamps to help with random numbers. I think Tom Scott did a video about it years ago.