Oh good grief. They validate only half of a 7-digit (+checksum digit) number at once, and tell you whether you got the first half right before asking for the second half? I don't know anything about encryption algorithms, and even I know not to do that.
Bonus points for limiting the PIN to a very restricted set of characters (0-9), making it fixed length, and making it immutable for any given AP.
ssh+2FA to all your machines, anywhere, without opening firewall ports.