Secure PIN Code For Financial Apps

Add financial-grade, multi-factor login and transaction signing to your mobile app with just a few lines of code.

Can you tell the difference?

If not, we can't blame you. It's hidden inside.

Implementing a secure PIN code isn’t about what users can see —  instead, it’s about what happens under the hood. While there are many PIN code implementations out there, the majority don’t measure up when it comes to user experience and compliance. Wultra’s solution raises the bar for modern PIN code implementation.

Here’s Why Our PIN Code Implementation Is Next-Level

PIN codes are never, ever stored.

A PIN code should only exist in a user's head, and — for a very brief moment — in the volatile memory of their mobile device. We never store the PIN code on a mobile device nor server, not even as a hash.

We don’t use the PIN code directly for authentication.

The PIN code only unlocks local cryptographic keys. These keys are used alongside operation data and a hash-based counter value to compute a one-time signature, which is later verified on the server.

We never keep the PIN code and keys in memory in plain text.

The low-level C/C++ implementation under the hood allows us to work precisely with the memory. All data is contained in a dedicated part of memory, protected by ad-hoc encryption to complicate its retrieval by untrusted parties, and zeroed out immediately after its use.

If authentication fails, we block the PIN code remotely.

In case a user enters a PIN code incorrectly, we increase the number of failed attempts on the server side. After five failed attempts (or another value specified in our system) is reached, we block the device on the server.

We check the PIN code policy and disallow weak PIN codes.

Even the strongest cryptography won't protect users who select 1234 as their PIN code. This is why we reflect the best practices in PIN code strength evaluation by providing an additional library to check PIN code strength.

We set up the PIN code after a secure activation process.

We’ve designed our device activation flow to be bulletproof from the cryptography perspective. To protect primary credentials, we apply additional application-level encryption and data signing.

Drop-in Implementation

Straightforward implementation with all the magic under the hood.

Don’t waste time working through the complications that often come along with implementing secure PIN codes. We take care of the heavy lifting so that you can focus on building great digital products and delivering excellent user experiences.

Mobile Authentication SDK →
Join Discord →

Looking for Face ID and Touch ID?
Look no further! Authentication with biometrics is supported in the same SDK.
Learn More →

Need to eliminate weak PIN codes in your app?
Try our Apache 2.0 licensed open-source Passphrase Meter library in your app.
Learn More 

Clean Solution Architecture

Cryptography, networking, and data storage packaged in a comprehensive bundle.

You can easily use the code on iOS and Android, since we take care of the complicated, low-level stuff in the core implementation layers.

Get in Touch

Contact us and find out more about:

  • How to implement authentication in your fintech app.
  • See how we helped other financial organizations and banks deliver secure and compliant authentication.
  • Licensing options and pricing of our product.

Ondřej Kupka

Account Executive
[email protected]