I have a requirement to allow users to use a 4+ numeric pin style password on a single device. Obviously this is a bad password to be used directly to protect their server side account, so I want to ‘lock’ this PIN to the specific device, so that someone must have both the PIN and device to login, and where gaining access to the device does not give access to the PIN. Also, they already have a more conventional username/pw login, and by signing up on a device they are adding a new set of login credentials to this existing account. So this is my current plan:

1. During the local device signup process, locally generate a strong password.
2. Send this generated strong password to the server as their server-side device specific account password.
3. Use their supplied 4+ digit password to locally symmetrically encrypt the strong generated password.
4. Store this encrypted strong password on the local device.
5. During subsequent logins on that device, the user supplies the same 4+ digit password, it is used to decrypt the previously stored strong password, and the strong password is sent off to the server for login.

So I believe this achieves the strong server side password requirement. However I also need to protect as best I can against compromised client devices after the signup process (devices compromised before/during the signup process are a lost cause). Obviously with a 4 digit encryption key, there are only 10,000 possible combinations, so an attacker will easily be able to try every combination on the locally encrypted strong password very quickly. What I want to know is do I have to choose a specific symmetric encryption scheme and/or generated password format so that the attacker will not be able to tell from local data alone which of the 10k decryption attempts was the correct one? i.e. He would still have to attempt each of the 10k passwords on the server-side login.

Also, is there anything glaringly wrong with this approach, or a more standard approach to achieving these requirements? If there is a standard approach, is there a standard .NET library for this approach?