I wonder if the form is susceptible to timing attacks. That could make identifying a user's PIN even faster.