Some client applications, such as mobile applications, use a 4-6 digit PIN to protect against unauthorised access. This in itself is a weak form of authentication, with a 5 digit PIN providing only 100,000 combinations; the correct PIN could be guessed easily by a ‘brute force’ attack i.e. trying every combination.
To counter this, most mobile applications store no sensitive data locally on the mobile client, and implement a lock-out scheme which is enforced on the server after a few wrong attempts at entering the PIN. However, it would advantageous for a mobile application to store data at the mobile client for access and analysis when disconnected. There is therefore a need for secure access to locally stored data that can survive brute force attacks.