Client applications protecting sensitive information typically require a user-supplied PIN to authenticate the user. However, a simple PIN might not provide sufficient security. For example, a six-digit numeric PIN at most provides 106 characters of entropy, which may be used for data security. This may be inadequate to withstand a GPU-based password cracking attack.
A PIN Validator may be used to verify that the user has entered the correct PIN. Current systems may create a PIN Validator by generating a random phrase, encrypting the random phrase with a derivative of the user-supplied PIN, and storing the original random phrase and the encrypted random phrase after hashing each of them a number of times for obfuscation. The PIN validator may be stored on the client device. However, this data security mechanism may be reversed in an offline attack in a matter of hours.
Additionally, the small amount of entropy provided by the user-supplied PIN might not be able to be used for cryptographic key derivation. Although key-stretching algorithms exist, the algorithms are not adequate for government and other regulated environments with strict security standards.
Moreover, with today's flexible mobile work styles, when people frequently switch between locations, devices and applications, security and authentication become very challenging, especially if the goal is to preserve or enhance user experience. Authentication secrets are a continual source of frustration for users. At their very core, most password policies are contradictory in nature. They contain a mix of upper and lower case letters, symbols and digits yet should be easy to remember. In the case of mobile devices, they are typically simple to enter and are as frictionless as possible to the end user. This leads to user PINs that are trivial to crack or even subject to shoulder surfing. Furthermore, PINs often cannot be used to derive encryption keys because they lack the necessary entropy (e.g., randomness) to create encryption keys. The problems are further compounded when users switch between devices and applications and are frequently and repetitively asked to authenticate, often using different authentication mechanisms.