Thanks for taking a look.

Sorry, I should have mentioned that JavaScript is required for the demo. I've updated the link.

In a live app, the JavaScript is optional and the backend validation routine doesn't care if you enter the '-' characters or not.

I don't really get what you mean about the highlighting decreasing the security. If the box is red the user made a typo - the aim is to help the user. Having the box go green doesn't mean you typed the right thing it just means you typed one of the 32768 possible codes that would make that box go green.

I haven't yet decided whether the green is useful. The red to indicate a keying error is kind of the whole point but the green is optional.