Clients.. always the client. The client wants the user to use their phone has a first security barrier.
I was hoping something like touchID, but only for the pin, was available. Just call the native sdk to take care of the authentication.. but yes, I could see this become a rather large.. (HUGE) security problem..