Not a bad idea! This isn't an "unlock code" it's 1/2 of a private key and also used as the salt to a keygen function wherein something else is being used as the primary data portion or seed. The keygen function uses scrypt at it's core so it's extremely expensive to try to brute force.
The PIN needs to be something they can remember, but would be impractical to try and brute force. Before they get to the option to enter a PIN they will have already entered a password and verified using an MFA component such as email link, sms code or ToTP. The PIN is part of authorization not identification (single user can have multiple PINs and thus multiple keys). It is presumed that should we move to PoS deployments that the user would be issued a physical token to use in conjunction with their PIN to authorize the transaction. On Mon, Feb 24, 2014 at 9:45 PM, Michael Torrie <[email protected]> wrote: > On 02/24/2014 09:03 PM, S. Dale Morrey wrote: > > fine we will make it 10 :) > > Even better, their phone number! > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
