[lucb1e]

> like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"

Exactly. After only a few of these you have an equivalent security level to checking the four digits directly but at each step of the way there is a 50% chance that the attacker, not knowing the number yet, gets it wrong and you stop giving more info. If they do a thousand calls a day, they'll still get some people, but it's probably not you so that's at least a small win.

You might enjoy learning about PAKE/SPEKE, which has similar properties.

> An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties (Wikipedia: PAKE)

Just enough enjoyment to then get depressed wondering why nobody is using these nice things