Random-positions PIN login
After password, DocSign asks for three random positions of your PIN โ the UK-bank pattern.
What it does
An optional second factor inserted between password and TOTP. Each digit position is stored as an independent bcrypt hash so the server can verify any 3-of-N positions without ever holding the whole PIN. A keylogged or shoulder-surfed login session only leaks 3 of N digits, not the full secret.
How it works
- 1
Settings โ PIN โ Set up. Pick a 6โ12-digit PIN; DocSign stores per-position bcrypt hashes.
- 2
Log out and try logging back in.
- 3
After the password step, DocSign returns {requiresPin, positions: [i, j, k]}.
- 4
You enter only the requested 3 digits; the server bcrypt-verifies each at its position.
- 5
If TOTP is enabled, the next stage challenges for the TOTP code.
Why it matters
- An attacker watching a single login still has to guess 100^k for the unseen positions.
- PIN failures use a separate lockout counter, so wrong PIN doesn't burn the password-stage budget.
- Reset by email-link with password re-verify โ same AuthToken pattern as 2FA reset.
Want to try it?
Most features are available the moment you sign up. No card required.