PIN Authenticator
The PIN authenticator offered by the Nevis Access App is completely independent from the device passcode provided by the mobile operating system.
Because of its independency from the mobile operating system, it provides its own measures for increasing its security.
Brute force attack prevention
The PIN authentication method is protected against non-sophisticated brute-force attacks. In the case of a failed PIN verification attempt, the user must wait for a predefined amount of time before being able to attempt PIN verification again. After the second failed attempt, a cool-down time is added as a penalty. The following table shows the added penalty for each failed attempt:
| Number of failed attempts | Cool-Down in Seconds |
|---|---|
| 1 | 0 |
| 2 | 0 |
| 3 | 60 |
| 4 | 180 |
After the fifth failed attemt, the PIN authenticator and its corresponding credentials are removed from the mobile device.
Disallowing unsafe PINs
To further increase the security of the PIN authenticator, the Access App prevents usage of unsafe PINs using a rule-based implementation as opposed to a backlist based implementation. This solution has several benefits over a blacklist approach, it:
- removes the necessity of managing a potentially large blacklist based on the length of the PIN code
- is flexible enough to handle different PIN lengths
- is more secure by ensuring a rule-based entropy as opposed to a blacklist
- can be easily explained to the end-users
PIN Rules
The rules for a PIN to be considered safe are:
- The PIN must contain a minimum number of different digits. This minimum number of different digits depends on the length of the PIN.
- The PIN cannot contain consecutive numbers in ascending or descending order. The number of consecutive numbers that are not allowed depends on the length of the PIN.
1. Minimum number of different digits
Based on the length of the PIN, a minimum number of different digits is required:
| PIN length | Different digits |
|---|---|
| 4 | 3 |
| 5 | 4 |
| 6 | 4 |
2. Allowed consecutive digits
A PIN shorter than 6 digits can have at most 2 consecutive digits. A PIN with 6 digits can have at most 3 consecutive digits.