To store and retrieve end-to-end encrypted data, the 4Privacy App must establish a connection with a 4Privacy AppNode. The encryption keys for the data saved on the 4Privacy AppNode are required in order to read that data; they have nothing to do with authentication or the PIN. Nevertheless, in order to even access the data on the 4Privacy AppNode, you must authenticate yourself.
Best practices for authentication should have more than one factors that can be used to verify your identity. 4Privacy uses 2-factor-authentication (2FA) that requires “something-you-have” and “something-you-know.” This is crucial in safeguarding your data in the event that you misplace your phone.
In 4Privacy, the “something-you-have” is your phone. More specifically, your phone stores a 256bit randomly generated key in app protected storage. The second factor is “something you know,” which is your 4 digit PIN.
Unless you utilize the biometric option, your 4-digit PIN is not saved or verified on your phone. Instead, your PIN is verified in the 4Privacy AppNode, which is running in the cloud. Only eight tries at connection are permitted before the account is locked and no further connections or attempts at authentication are permitted.
This is distinct from your phone’s PIN, which is kept on the device and validated there. While the phone tries to guard against too many failed attempts, there are hacks that can get beyond that security.
Since 4Privacy validates your PIN and the counting of too many unsuccessful tries in the 4Privacy AppNode, manipulation cannot occur if your phone is stolen or hacked.
Why is the PIN only 4 digits?
Because the “what-you-know” must be easily remembered or it just becomes another thing to write down or save somewhere, which defeats the security. The 4-digit PIN is big enough to be secure (4 digits = 10,000 combinations, with 8 attempts) and small enough to be easily remembered. After 8 unsuccessful attempts, you must use your recovery to get into your account.
In the future, we plan to add additional PIN options (for example, the ability to choose a 6 digit pin).