Introduction

After initialization, the PIN must be entered after each EC signature since signing resets its validity. PIN verification works like standard methods but happens through a secure channel (see the Verify Key command for details). The PIN should be 4 to 9 digits long and can be tried three times before requiring a card disconnection. After three more failed attempts, it locks and needs a PUK to unlock.

You also have a PairingKey, which can be public and can be shared. Another authentication method is using an EC256r1 or RSA key pair, where a random challenge is signed instead of entering a PIN. The public key is stored in the card, allowing blockchain EC signatures with the user key. This feature lets the Basic wallet card handle transactions securely using key storage like iOS Secure Enclave or a PC TPM instead of a PIN.

PIN and user authentication reset after any EC signature. External FIDO authenticators can also perform user authentication (see Add User Key/Check User Key commands). A user key can be stored in a slot only once and requires deletion before adding a new key. The SetPinAuth command can disable PIN authentication, allowing authentication only through registered public keys.

User Key Actions

You can perform the following actions on the user keys: