We need a second device to enforce the time limits
Password security relies to a large degree on the time limits imposed upon password verification.
That is, if I can verify three passwords per minute then guessing an alphanumeric password of eight characters
might take approximately
Math.pow (36, 8) / 2 / (86400 / 20) / 365 = 2236 years,
but if I can verify three million passwords per second
then guessing the same password might take
Math.pow (36, 8) / 2 / (86400 * 3000000) = 5 days.
If we limit a PIN to be verified no more than three times per ten minutes