The user "has" a token and "knows" a PIN code
For more in-depth details on the technical flow for PIN validation, check out:
A user authentication can be executed from the ReadMyCards application.
At the bottom of the page, there are 3 use cases available:
authenticate user with browser OR operating system pin dialog
upload a PDF document as a prerequisite to the process of performing a digital signature
digitally sign a PDF document
The Trust1Connector ask the user for a PIN when performing an authentication or a digital signature. When a user enters the PIN in a browser dialog, the Trust1Connector has the necessary functions in the SDK to encrypt the PIN sent from the browser towards the Trust1Connector instance. The reasoning behind this approach is:
the Trust1Connector does NOT trust a local browser: the browser can be corrupted with a 'dirty' plugin for example; no pin code will be visible in the 'debug console' of the browser
applications are not trusted, except when presenting a valid token, and when performing a key exchang prior to the use of the connector
When enabling the toggle 'Use operating system pin dialog', you ask to ignore entering the PIN in the browser by delegating the PIN entry to the operating system. When this option has been enabled, the Trust1Connector will ask the underlying operating system to deal with the PIN entry. This means that the PIN entry is COMPLETELY separated from the web application or browser.
This topic has different motiviations depending on the use case and security policies applied in an organizatoion. The Trust1Connector want to guarantee a safe implementation for both use cases mentioned
When the use case completes succesfully, in the top right, the following message will appear for a short amount of time: