diff --git a/README.md b/README.md
index 0db4e6f..9bad70a 100644
--- a/README.md
+++ b/README.md
@@ -109,7 +109,7 @@ Key usage can also be used to perform and auditory and track the usage of a part
 ### Public Key Authentication
 Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
 
-In PKA, neither PIN nor retry counters are used, since a private key is needed. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
+In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
 
 [^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
 [^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
diff --git a/doc/public_key_authentication.md b/doc/public_key_authentication.md
index 5a9055b..b67c100 100644
--- a/doc/public_key_authentication.md
+++ b/doc/public_key_authentication.md
@@ -1,6 +1,6 @@
 # Public Key Authentication
 
-Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN. The authentication is performed by signing a challenge and checking the signature result.
+Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN (see Notes below). The authentication is performed by signing a challenge and checking the signature result.
 
 1. A Pico HSM #A contains a private key, whose public key will be used for authentication.
 2. The public key of #A is registered into a second Pico HSM #B.
@@ -9,8 +9,6 @@ Public Key Authentication (PKA) is a mechanism to authenticate a legit user with
 5. #B verifies the signature against the challenge with the public key of #A, previously registered.
 6. If the signature is valid, #B grants access to the user.
 
-This mechanism has no retry counter or PIN throttling, as no PIN is set up on the device.
-
 To enable PKA, the device must be initialized beforehand. In case the device has secret/private keys, all shall be exported and reimported when the set up is finished.
 
 ## Requirements
@@ -66,12 +64,12 @@ From now on, you have full access and can operate normally with the primary devi
 Pico HSM uses the PIN to protect the DKEK, which is lately used to protect private/secret keys and wrap/unwrap. However, when PKA is enabled, the authentication is not performed by introducing any PIN.
 Authenticated privileges are granted when PKA succeeds, regardless of PIN, which is optional.
 
-Nevertheless, *it is extremely recommended to combine PKA with PIN*. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification. 
+Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification. 
 Otherwise, it will not be possible to operate with private/secret keys despite the user will be logged in. 
 
 Unfortunately, SCS3 does not supports the combination of both schemes during the initialization. Fortunately, OpenSC does.
 
-To initialize the device with PKA *and* PIN use the following command (or similar), which accepts the use of PIN parameter *and* PKA configuration:
+To initialize the device with PKA **and** PIN use the following command (or similar), which accepts the use of PIN parameter **and** PKA configuration:
 
 ```
 sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1