[Feature Request] Forced delay on PIN entry

[sierramx]

A forced delay on PIN entry, ranging from minutes to days, could be a useful way to protect against $5 wrench attacks.

This feature would be available as an optional configurable timeout when setting up the PIN.

Unlocking the device would then work something like the following:

1. User enters PIN.
2. The device starts a countdown with the configured timeout and does not proceed until it has reached zero. Powering off the device results in having to restart from step 1.
3. Optionally: Ask the user again for the PIN. If it doesn't match the first PIN, restart from step 1.
4. If the PIN is wrong, the "wrong PIN" counter is increased. If the wrong PIN limit has been reached, the PIN is made invalid and the unlocking procedure is aborted. Otherwise restart from step 1.
5. If the PIN is correct, the device gets successfully unlocked and the "wrong PIN" counter is reset to 0.

On Coldcard this feature is referred to as login countdown. However, that implementation is not enforced by the device's secure element. Jade has the potential to provide an even more secure implementation by having the PIN oracle enforce the delay. This would require extending the PIN oracle protocol, but that shouldn't be too complicated I think.

[jgriffiths]

Hi @sierramx Thanks for the suggestion, we'll have a think about the implications and potential implementation issues.