The user pin is not a [Personal Identification Number](https://en.wikipedia.org/wiki/Personal_identification_number) and therefore should not be called PIN. OTP would be my proposal. [TAN](https://en.wikipedia.org/wiki/Transaction_authentication_number) is another option.