iOS PIN feature has security hole where unlimited attempts are allowed

Previous posts referring to the issue though it was never fixed:
Jan 2018, Sept 2019, Jan 2020

The issue comes down to if you have your vault setup to allow PIN access. When you try to log in to a page it asks for your PIN. If you enter it incorrectly then you get an error message saying the PIN is wrong. If you do this 5 times in a row then the prompt closes, but then you just need to tap the password field to pull up the PIN prompt and keep trying. It never prompts you for your master password so you get unlimited attempts at the PIN.

Considering the PIN is usually shorter for people as it’s a convenience feature, it’s necessarily going to be shorter and therefore extremely susceptible to Brute force attacks.

Even worse, unlike the browser extension you cannot simultaneously have PIN enabled and have the master password prompt at app restart. You can only either allow PIN across the board, or set it so the PIN only unlocks the app directly with the master password as a prompt everywhere else.

Here’s a video of what this looks like. I did about 13 attempts and no request for the master password. You can’t see it in the video but I’m just typing “1” each time to get it to go through since that’s not the PIN.