I wanted to implement an optional PIN Access setting for my app (first time). I decided also to implement it all locally on the device so there is no internet or service check beyond on device encryption and comparison.
What I'm wondering is, since I've done it this way, there is no way for the user to access the app if they truly have forgotten their four digit PIN. Currently, I implemented a timer on the number of trials (after the first N-number tries you can't try for
5 mins, then 10, 15, to an hour). This can be annoying if you've really simply forgotten the PIN.
I was hoping to find reassurance if this is an acceptable route to go forward on. There are localized warnings and explanations before the PIN is set, and it's not set by default. The hash and salt are stored via the settings. And I warn the user to backup
the local database to Onedrive before enabling the PIN. Are these precautions enough for "fair warning"? Or should I opt for a net service via say facebook, microsoft account or my own service (all of which I admit I was trying to avoid online).
I guess I may not be clear, thanks for replying, but I've already implemented securing the password in isolated storage, using the hashed pass with a salt.
My concern was recovery; what would be a good way to allow the user to recover access if they truly forget their PIN. Currently, my implementation has a lot of warnings and messages that they simply can't. But is there an alternative?
What I'm toying with is just having them set a hint, backup the DB, and wish them luck to not forget. I'm curious if this is a good practice, or are there more experienced suggestions.