Thanks for the feedback. The concept is not to return invalid login data by itself, then hackers could continue to try usernames and passwords which makes the concept of the pin protection useless. The login pin is generated each time from the users login name, so not easily hacked because you would be notified instantly if someone was attempting to access the account and the pin and password need to be submitted together for a successful login. You can set the length and type of login code also to make a stronger pin if you wish. I would ask you to read through the settings and code and take time to understand the process before making statements so you do not mislead other users looking at your review for more information. If you do find a real vulnerability however I will be most happy to get it fixed.
Thank you.
