User Key

After initialization, the PIN must be entered after each EC signature since signing resets its validity. PIN verification works like standard methods but happens through a secure channel (see the Verify Key command for details). The PIN should be 4 to 9 digits long and can be tried three times before requiring a card disconnection. After three more failed attempts, it locks and needs a PUK to unlock.

You also have a PairingKey, which can be public and can be shared. Another authentication method is using an EC256r1 or RSA key pair, where a random challenge is signed instead of entering a PIN. The public key is stored in the card, allowing blockchain EC signatures with the user authentication. This feature lets the Basic wallet card handle transactions securely using key storage like iOS Secure Enclave or a PC TPM instead of a PIN.

PIN and user authentication are reset after any Elliptic Curve (EC) digital signature. External FIDO authenticators may also perform user verification (refer to the Add Key and Check Key commands). A cryptographic key can be stored in a slot only once and must be deleted before adding a new one. The SetPinAuth command can disable PIN-based verification, enabling access solely through registered public keys.