If strong device authentication (e.g. finger print scan) cannot be used for the app, the app will be secured with a PIN. This page describes the flow the user goes through when resetting the PIN.
- After 5 attempts, the app will lock, inform the server about this lock and inform the user that they will receive an text message with a PIN reset confirmation code, after 24 hours. The 24 hours period is to prevent that someone else temporarily has access to the device and tries to open the Yona app.
Note: the attempts should be counted across app restarts, to prevent that users simply restart the app after the first 4 failed attempts, thus resetting the attempt count to 0 again. This implies that the number of attempts needs to be persistently stored on the device.
- The text message contains a confirmation code that is valid for a week to reset the PIN. The app will verify the correctness of the confirmation code and after that allow resetting the PIN.
- Optionally, the app asks the user for some secret (your first car brand, your mother's first name, etc.). Only when this is entered correctly, the PIN reset is enabled. The PIN reset happens on the device only. The PIN is not known on the server. Asking for the secret is not strictly necessary. We can also assume that the user still has access to their device, or already has reset their mail password, so the thief doesn't have access to their device.