> it will block the card after 3 incorrect pin attempts and after 3 incorrect attempts to unblock the card it will permanently erase the secure storage on the card.
Why three? Can someone actually guess your pin in 4 tries? I hate the number 3 used for these things. Raise it to 20 and you'll have virtually the same amount of security, but the false positives will drop to 0.
The whole thing is even more complex that that. You can actually have different pins for different roles. For example, you could setup a different pin that can only be used for authentication with a specific keypair/certificate. Also a pin does not even have to be a pin as such. The admin pin on the card (i.e the role that can unblock the user pin) is actually a challenge-response as it is designed so that a user can phone up IT support or something and tell them the challenge from the card and IT support can give them a response that will then unblock their normal pin.
Why three? Can someone actually guess your pin in 4 tries? I hate the number 3 used for these things. Raise it to 20 and you'll have virtually the same amount of security, but the false positives will drop to 0.