I was wondering if the secure element throttling only applies to when you unlock your user profile or is there a way for per-app passcodes to use the Weaver API as well.
For context, I have a KeePassDX vault with a long-ass master password that I don't want to type every time, so I use the "advanced unlock" feature which sets a six-digit pincode. I have a similar situation with my banking apps, since they are designed to kill sessions immediately after you close the app for maximum security, you have to re-enter your password to log-in every time.
How feasible is it for a BadUSB type brute-force attack to succeed on these apps, assuming someone gains access to my unlocked Pixel? Do the apps automatically use the Weaver API, and if not is there a way to force them to do it?
My guess is I'm sacrificing security for convenience, and will probably switch back to manually typing passwords if there is no good solution here.
P.S. I think all KeePass vaults use a high computational cost PBKDF-type function for key derivation, which throttles brute-force attempts on the software level, but I could be wrong there. I'm not sure if my banking apps use a similar thing. I'm sure their APIs have sufficient rate-limiting for brute-force attacks on the password itself from the server, but I'm unclear on the security of the six-digit passcode that you can set for quick unlock.