About the Application PIN Authenticator

The Application PIN Authenticator is not provided natively by the device's operating system and the applied PIN is different from the PIN that unlocks the device.

Application PIN behavior

When a PIN is needed, either for registration or a FIDO operation, the Application PIN Authenticator will ask for a PIN with its callbacks. You can provide the PIN programmatically or after displaying your own user interface to the user. Once the PIN is passed to the authenticator, the processing of the FIDO operation will continue. The callback is on the authenticator itself (not on the FIDO Client).

The FIDO UAF Client SDK will not accept any PIN that violates one or more of the PIN violation rules passed via the PIN validator instance.

Weak PIN detection and PIN customizations using the PIN validator

You can check for PIN rule violations before passing the PIN to the callback by calling the designated API on the PIN validator instance. This instance can be constructed by a number of defined rules.

You must keep a reference to the PIN validator instance at all times!

If the result of that check is one or more violated PIN rules, you must implement the correct user interface and message to ask the user for another PIN before passing it to the callback.

The authenticator can check one ore more of the following PIN rules (based on the rules passed at the time of construction):

• Do the digits of the PIN increase or decrease in equal steps (example: 2468, 97531, 2222 etc.)?

• Does the PIN consist of one digit followed by trailing zeros (example: 1000, 2000 etc.)?

• Does the PIN consist of alternating digits (example: 1515, 252525 etc.)?

• PIN minimum length (4 digits, can be customized to be 4 or more digits)

The method will return an array of the violated rules.

Key management

All keys used for authenticators are stored in the secure hardware element of the device, including the private key. However, it is not protected by additional security measures (like biometry).

The keys cannot be shared. They will never leave the device and will not migrate from one device to another by a backup/restore process.

Per user, only one authenticator and app ID can be registered on the same device. This means that if a user already has a registration in an authenticator for an application on this device, a new registration CANNOT be created in the same authenticator on the same device for that user and application.

Anti-hammering protection

The anti-hammering protection counts the number of unsuccessful authentication attempts and applies a penalty after a defined threshold of attempts. The penalty will start after 5 consecutive wrong PIN attempts (counter will continue even if the app is killed between the attempts). The penalties are calculated in seconds as 30 x 2^n (n = Number of failed attempts minus 5). After 1 successful authentication, the counter will be cleared.

After 10 consecutive wrong attempts, the user is locked and the corresponding error message is displayed:

• Android: USER_LOCKED_OUT

• iOS: ApplicationPinAuthenticatorError

For more information, refer to the technical documentation included in the product package.

Metadata for the Application PIN Authenticator

The metadata for the Application PIN Authenticator is typically stored in the FIDO Metadata Service, which FIDO relying parties can access to obtain information about the authenticators. This metadata is essential for enabling interoperability and security in the FIDO environment. The following table describes the Authenticator Attestation IDs (AAIDs) for the Application PIN Authenticator.