[TheRealPomax]

also, "ah yes, a several digit pin, famously more secure than a same-length password that adds even as little as letters".

[Macha]

The point is more so that the pin unlocks a key on your local device and that key is much stronger than the password the typical user would select. Plus it is site specific in a way that your typical user does not do with passwords.

So it's making a system weaker against offline attacks if someone steals your hardware in exchange for making it stronger against phishing. This is probably the correct tradeoff for most people.

[avianlyric]

A PIN associated with a specific device that been cryptographically linked to your account. So while a seven digit PIN is easier to guess than a password, the physical device is much harder to steal over the internet. It’s defacto 2FA authentication.

[kube-system]

Yes, a several digit pin that unlocks a long private key is more secure than a shared secret with eight characters on its own.

[progbits]

PIN for secure module with throttling and max wrong attempt count is indeed safer than a password you can brute force offline.

[andrewstuart2]

Brute forcing offline kinda only works if you have a stolen hash or artifact like that. For a service like Google, they definitely have rate limits on password attempts.

I'm not saying I prefer either one here, just that password authentication doesn't automatically mean you can brute force offline.

[postalrat]

The real key is stored in a chip. Your pin unlocks the real key. The chip has hardware to rate limit pin attempts.

These types of chips tend to have many layers of physical security to protect the real key.

[wkat4242]

A pin is pretty safe when it unlocks a hardware token that limits the amount of attempts.

It's basically like a chip & pin bank card.

[wrs]

You have to possess the device and the PIN, so yes, it is quite a bit more secure.