(no title)

> This approach works because the secure enclave provides measures against bruteforcing and tampering.

That's interesting!

> because that implies off-device use of the PIN, so those measures are lost

This link from your previous thread is interesting: https://support.apple.com/en-sg/guide/security/sec3e341e75d/...

Uses SRP to let the device prove to iCloud HSMs that the user entered the correct pin, without ever sending it over the wire. The HSMs have similar protections for brute forcing, etc.

From the docs I have a fairly high confidence entropy is 256 bits for iCloud Keychain. I have much less confidence on Android, but I'm still researching... :)