And if you have all my devices? And what if you have all my external security tokens? And what if you also have all my passwords? And what if you have a complete replica of every thought in my head? And what if what if what if what if...
Sure. Whatever buddy. Nothing is truly secure. If they guessed my password as well along with my device I'd be in an even worse situation. At least my PIN just disappears forever after a few failed attempts and requires that physical device.
Needing a physical device which wipes itself after a few failed attempts is more secure than having a password that could be used anywhere on any device however many times they want to guess.
> without distinction only in some scenarios. Namely offline attack to a physical device.
There is a distinction in this domain though, and it's pretty massive. Offline attacks at guessing passwords, if you fail the PIN a few times (three on most of my machines) the PIN gets cleared never to be used again. Meanwhile you can keep trying the password over and over. The account password on the device isn't getting cleared. So I can make the PIN pretty simple and easy to type in while making my regular password very long and complicated. It doesn't matter if its a pain to type in, because its not like I'm typing it in every time I walk away and come back to my computer.
Sure. Whatever buddy. Nothing is truly secure. If they guessed my password as well along with my device I'd be in an even worse situation. At least my PIN just disappears forever after a few failed attempts and requires that physical device.
Needing a physical device which wipes itself after a few failed attempts is more secure than having a password that could be used anywhere on any device however many times they want to guess.
> without distinction only in some scenarios. Namely offline attack to a physical device.
There is a distinction in this domain though, and it's pretty massive. Offline attacks at guessing passwords, if you fail the PIN a few times (three on most of my machines) the PIN gets cleared never to be used again. Meanwhile you can keep trying the password over and over. The account password on the device isn't getting cleared. So I can make the PIN pretty simple and easy to type in while making my regular password very long and complicated. It doesn't matter if its a pain to type in, because its not like I'm typing it in every time I walk away and come back to my computer.