Skip to main content
Skip table of contents

Offline Pin Authentication

Starting in 3.8, users who rely on the Veridium PIN method can now unlock their mobile devices even when no network is available. PIN data is pre-synchronized from the server and stored in hardware-protected storage, removing the previous requirement for constant connectivity.

Previously, Veridium PIN authentication required a constant connection to Veridium services for validation, limiting its use in scenarios without connectivity, such as offline Windows Logon where native biometrics are unavailable. With this update, we've addressed this limitation to provide a more flexible and robust authentication experience.

PIN Synchronization: Secure Offline Access

This feature is currently available for registered mobile applications that have the PIN authentication method enrolled.

Key Features & Configuration

  • Opt-in capability – administrators can enable or disable offline PIN use in the PIN authentication policy.

9a6a816e-6fe5-43fb-8b2e-1d9e45cee286.png

  • Offline window – a time-to-live (TTL) value defines how long the cached PIN remains valid. Set TTL = 0 to disable offline use.

  • Automatic refresh – the mobile app re-syncs the PIN whenever:
    – the TTL is about to expire (background refresh)
    – the user changes the PIN (silent push to all enrolled devices)
    – the policy is updated on the server

Security Model

  1. Mutual key agreement
    • Mobile app and server perform an Elliptic-Curve Diffie–Hellman exchange.
    • Each side signs its public key with the credential key created during PIN enrollment.

  2. Encrypted delivery
    • The derived shared secret is stretched with HKDF to an AES-256 key.
    • Server encrypts the PIN hash and salt and returns them to the client.

  3. Secure storage
    • The encrypted blob is stored inside the OS keychain (TEE/Secure Element).
    • Server stores only a PBKDF2 hash of the PIN; the clear PIN is never retained.

Offline Verification Flow

  1. User enters the PIN.

  2. App runs PBKDF2-HMAC-SHA256 with the cached salt.

  3. Result is compared to the cached hash.

  4. If the TTL has expired or the number of failed attempts exceeds the policy limit, offline authentication is rejected and an online unlock is required.

Account Lockout

For added security, if an incorrect PIN is entered multiple times (configured by server-side settings), the PIN authentication method will lock out indefinitely.

To unlock your PIN:

  • Successfully authenticate online using your PIN.

  • Reset your PIN via the mobile application or self-service portal.

  • Have an administrator reset your PIN.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close