Home

piny

PINy is a cross-platform standard and software framework for privacy-preserving PIN-based authentication and access control. It provides a protocol and reference implementations that allow personal identification numbers to be used for user authentication across devices, apps, and services. PINy emphasizes minimizing exposure of the PIN by performing verification through tokens rather than transmitting the raw value.

The concept originated from privacy researchers in the early 2020s. An initial open specification was published

PINy uses a client-side derivation key to transform a PIN with a salt, producing a PIN token.

Key features include local PIN derivation, device attestation, optional biometric second factors, offline mode, policy-based access

Adoption has been reported in enterprise identity projects and consumer apps requiring local PIN-based actions. Critics

PINy intersects with topics such as PIN codes, digital identity, and privacy-preserving cryptography.

in
2023
by
the
PINy
Consortium,
with
subsequent
revisions
to
improve
device
attestation,
offline
verification,
and
developer
tooling.
The
token
is
sent
to
a
verifier,
which
authenticates
the
user
without
learning
the
actual
PIN.
Devices
with
secure
enclaves
or
trusted
execution
environments
protect
keys,
enabling
offline
operation
or
distributed
verification.
The
architecture
supports
both
online
and
offline
modes
and
can
be
deployed
in
centralized
or
federated
configurations.
control,
and
developer
SDKs.
The
framework
supports
rotation
of
PINs
and
revocation
of
credentials,
along
with
auditing
facilities
for
enterprise
deployments.
It
is
designed
to
be
extensible
for
integrations
with
existing
identity
services
and
hardware
security
modules.
point
to
ongoing
risks
from
weak
PIN
choices
and
potential
compromise
of
devices,
underscoring
the
need
for
strong
device
security
and
supplementary
authentication
measures.