User PIN is not a PIN

[danielfett]

The user pin is not a Personal Identification Number and therefore should not be called PIN.

OTP would be my proposal.

TAN is another option.

[paulbastian]

While doing PR #95 I had the exact same thoughts, the phrase userPin does that seem to fit very well and I have seen a lot of confusion while explaning the UserPIN.
I think it should include transaction or session, so I could agree with TAN.

[Sakurann]

bikeshedding for a week - please come up with a good alternative name - otherwise it will stay PIN :D

[bc-pi]

Maybe Transaction Code. The parameter name could be tx_code

[pmhsfelix]

Suggest user_code, so the Offer parameter would be user_code_required and the Token Request would be just user_code.
An example token request would be

grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
&pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
&user_code=493536

The downside is that now we have two codes: the pre-authorized_code and the user_code.

OAuth 2.0 Device Authorization Grant also uses the user_code identifier.

[paulbastian]

Right now, the UserPIN must be 4-8 digits. Depending on whether we want to free this constraint code might be better than number as in TAN.
I'm in favor of tx_code as its more about the transaction/session that is being secured, and not so much about the user in my opinion.

[cre8]

I also think that TAN is the better option over PIN:

• A pin can be set by the user. This is not the case for OID4VCI since the issuer generates it and passes it to the receiver on a secure channel
• A pin for my credit card is always the same. But here we should prefer to set a unique value each time

Features like time based TANs are out of scope of the OID4VCI, so TAN should be the way to go :)

[c2bo]

Imho tx_code seems to be the most neutral choice that conveys the transaction oriented meaning, TAN would kind of force numbers

[manecke]

I strongly support tx_code as well.

[Sakurann]

@jogu and @pmhsfelix said tx_code is not their favorite, but they can live with it. Seeing no one who strongly dislikes this opiton, I think we can go with tx_code