Passkey Entry

What Is Passkey Entry?

pairing with 6-digit PIN entry." data-category="Security">Passkey Entry is a BLE pairing association model that uses a 6-digit numeric code to authenticate the key exchange and provide man-in-the-middle (MITM) protection. One device displays the passkey, and the user types it into the other device, proving that both sides of the connection are communicating with a human-verified peer.

How It Works

The Passkey Entry flow differs between Legacy Pairing and LESC:

Legacy Pairing: The 6-digit passkey (000000 -- 999999) is used directly as the Temporary Key (TK), zero-padded to 128 bits. Both devices compute confirm values from this TK and exchanged random numbers. If the confirms match, pairing proceeds. The weakness is that an eavesdropper can brute-force the 6-digit keyspace (only 1 million possibilities) to recover the TK.

LESC: The passkey is used to authenticate the ECDH key exchange bit by bit over 20 rounds. In each round, one bit of the passkey is incorporated into a commitment scheme. An attacker who does not know the passkey cannot produce valid commitments, providing MITM protection. Because the actual encryption keys derive from ECDH rather than the passkey itself, the 6-digit code does not limit the entropy of the link encryption.

When Passkey Entry Is Selected

The SMP selects Passkey Entry based on the I/O capabilities exchanged during Phase 1:

Both Numeric Comparison and Passkey Entry provide MITM protection, but Numeric Comparison is preferred when both devices have displays because it is less error-prone for users.

User Experience Considerations

Passkey Entry requires the user to correctly read and type a 6-digit number, which introduces friction and error potential. Common usability issues include:

• Users misreading digits on small displays.
• Timeout expiration if the user is too slow (typically 30 seconds).
• Confusion about which device displays and which accepts input.

To reduce errors, some implementations display the passkey in groups (e.g., "123 456") or use larger fonts. The pairing timeout should be generous enough for the target audience (accessibility considerations for elderly users or those with visual impairments).

Security Strength

With LESC, Passkey Entry provides robust MITM protection. An active attacker would need to guess the passkey in real time and produce valid ECDH commitments for all 20 rounds, which has a probability of 1 in 1,000,000 per attempt. The protocol does not allow retries within the same pairing session, so the attacker gets a single chance. With Legacy Pairing, the passkey can be brute-forced offline from a recorded exchange, which is why LESC should always be preferred.