PINs must be 7 - 10 digits long, this means with a 7 digit PIN there are 279,936 possible PIN codes and with a 10 digit PIN there are 60,466,176 possible PIN codes. After 10 failed PIN attempts the device wipes all data which makes brute forcing of the PIN impossible.
When I type an incorrect pin code that is 10 digits I see a red flashing lights from the LED. However, if the pin code is less than 10 digits (7,8,9 or 10 digits) then I do not see any activity.
How does the OnlyKey wipe itself after 10 failed attempts if the pin code is less than 10 digits?
When you press a first character to start entering a PIN that increments a counter. If you enter an incorrect PIN or remove device once a first character is entered for a PIN attempt that is logged as a failed attempt.
You will notice that after entering 3 incorrect PINs your OnlyKey is steadily blinking red.
I performed the following tests with in correct pins in order to get this
Test #1
What I expect to see in this tests: Steadily blinking red after failed third attempt.
Results of test: Steadily blinking red after failed third attempt.
Plug in OnlyKey and
Type incorrect 10 digit pin code. Result is brief blinking red.
Type incorrect 10 digit pin code. Result is brief blinking red.
Type incorrect 10 digit pin code. Result is steadily blinking red.
Test #2
What I expect to see in this tests: Steadily blinking red after failed third attempt.
Result of test: No red flashing lights at all.
Plug in OnlyKey
Type incorrect 7 digit pin code.
Plug out OnlyKey
Plug in OnlyKey
Type incorrect 7 digit pin code.
Plug out OnlyKey
Plug in OnlyKey
Type incorrect 7 digit pin code.
Test #3
What I expect to see in this tests: Steadily blinking red after failed third attempt.
Result of test: Brief blinking red after third failed attempt with 10 digits.
Plug in OnlyKey
Type incorrect 7 digit pin code.
Plug out OnlyKey
Plug in OnlyKey
Type incorrect 7 digit pin code.
Plug out OnlyKey
Plug in OnlyKey
Type incorrect 10 digit pin code. Result is brief blinking red.
From my point of view it appears that incorrect pin inputs between 7-9 digits are not registered as failed pin attempts.
Can you please elaborate on how the OnlyKey detects failed pin attempts for pincodes between 7-9 digits if my understanding is incorrect?
The tests are all independent and were done with a correctly inputted pin between each attempt. My goal to trigger that anti-inadvertent wipe feature so I could visually see that the device was registering incorrect pins.
In this case, I find it odd that this anti-inadvertent wipe feature does not work when using a pin of less than 10 digits.
if you are entering an incorrect PIN and then a correctly inputted pin you would reset the failed login counter. It’s 10 failed PIN attempts in a row to trigger wipe.
In this case, I find it odd that this anti-inadvertent wipe feature does not work when using a pin of less than 10 digits.
If it did then an attacker would know that your PIN is not 10 digits, the current implementation does not give an attacker any indication of the PIN length.