Implementing a secure PIN code isn’t about what users can see — instead, it’s about what happens under the hood. While there are many PIN code implementations out there, the majority don’t measure up when it comes to user experience and compliance. Wultra’s solution raises the bar for modern PIN code implementation.
A PIN code should only exist in a user's head, and — for a very brief moment — in the volatile memory of their mobile device. We never store the PIN code on a mobile device nor server, not even as a hash.
The PIN code only unlocks local cryptographic keys. These keys are used alongside operation data and a hash-based counter value to compute a one-time signature, which is later verified on the server.
The low-level C/C++ implementation under the hood allows us to work precisely with the memory. All data is contained in a dedicated part of memory, protected by ad-hoc encryption to complicate its retrieval by untrusted parties, and zeroed out immediately after its use.
In case a user enters a PIN code incorrectly, we increase the number of failed attempts on the server side. After five failed attempts (or another value specified in our system) is reached, we block the device on the server.
Even the strongest cryptography won't protect users who select 1234 as their PIN code. This is why we reflect the best practices in PIN code strength evaluation by providing an additional library to check PIN code strength.
We've designed our device activation flow to be bulletproof from the cryptography perspective. To protect primary credentials, we apply additional application-level encryption and data signing.
Don’t waste time working through the complications that often come along with implementing secure PIN codes. We take care of the heavy lifting so that you can focus on building great digital products and delivering excellent user experiences.MOBILE AUTHENTICATION SDKJOIN DISCORD
You can easily use the code on iOS and Android, since we take care of the complicated, low-level stuff in the core implementation layers.