Skip to main content

How PIN Security Works

  • Secure Storage: Your PIN is encrypted and stored securely in device hardware (TPM on Windows, Keychain on Apple devices)
  • Local-Only Access: The PIN never leaves your device and is not transmitted over networks
  • Brute-Force Protection: TruU automatically locks authentication after multiple failed attempts

Windows Authenticator PIN Protection

With the Windows Authenticator, we protect the PIN by disallowing its use after too many wrong attempts. The default values for this are as follows:
  • Allowed Incorrect Attempts: 8
  • Lockout Period (after maximum has been exceeded): 1 hour

Mac Authenticator PIN Protection

With the Mac Authenticator, we have similar protection using these default values:
  • Allowed Incorrect Attempts: 8
    • This value can be changed in the config file used to enroll the device.
  • Lockout Period (after maximum has been exceeded): 10 minutes
    • This value can be changed in the config file used to enroll the device.
Here is how the values should appear in your config file. If your config file does not contain these values, please copy and paste from here. 
"accountLockOverride" : {  
     "maxFailedLoginAttempts": 10,
     "minutesUntilFailedLoginReset": 6,
     "shouldLockScreenOnAccountLock": true
  }
NOTE:
  • Locate your device enrollment configuration file
  • Add the accountLockOverride section if not present
  • Modify values according to security requirements
  • Save and redeploy the configuration

Mobile Authenticator PIN Protection

For the TruU mobile apps, we also prevent brute-force attacks by preventing its use after too many failed attempts. The lockout rules for mobile are not configurable and use the following values:
  • Allowed Incorrect Attempts: 8
  • Lockout Period (after maximum has been exceeded): 30 seconds after maximum attempts exceeded
NOTE:
  • Mobile app lockout rules are not configurable
  • Protection is automatically enforced across all mobile devices
  • Provides quick security with minimal user disruption

TruPIN PIN Protection

For the TruPIN, we also prevent brute-force attacks by preventing its use after too many failed attempts. The lockout rules for TruPIN are not configurable by Admins (but TruU can configure the rules upon request) and use the following values:
  • Allowed Incorrect Attempts: 5
  • Time Window: 10 minutes (this value defines the time range for the failed attempts — e.g., if the user enters an incorrect PIN, and then waits more than 10 minutes for their next attempt, a failed attempt at that point would be the first failed attempt)
  • Lockout Period: 10 minutes

Account Lockout Troubleshooting

If user forgets their PIN and cannot log in:
  • Wait for the lockout period to expire (varies by platform)
  • Contact your IT help desk if lockout persists
  • Do not attempt to reinstall the app - this may cause additional issues

Common lockout scenarios and solutions:

ScenarioSolution
User forgets PINUser need to wait out lockout period
Persistent lockoutsVerify device configuration settings
Multiple users affectedCheck organizational policy configurations
Security Considerations

Why These Protections Matter:

  • Prevents unauthorized access to sensitive applications
  • Protects against automated brute-force attacks
  • Maintains compliance with security standards
  • Ensures enterprise data protection
MacOS Local Account Creation Control for ADE TruU Stale Device Clean-Up