With passkeys becoming more prevalent, and with the ability to store passkeys on hardware security keys (e.g., YubiKeys) for passwordless login, it is imperative to set a strong FIDO2 PIN on your security keys.

Otherwise, someone who has stolen or found one of your security keys may be able to brute-force guess the PIN, which would reveal information about what accounts can be accessed with the key (see screenshot below):

Thus, if you are using a security key for passwordless login, the FIDO2 PIN should be random (not something guessable, like 123456 or a phone number, birthdate, etc.). Please note that PINs used for FIDO2 can be up to 63 characters long, and may contain both letters and numbers.

The good news is that (at least on a YubiKey) an attacker only has 8 guesses before the key’s FIDO2 function is blocked (and resetting the FIDO2 protocol to unblock its use results in all stored passkeys being wiped from the key).

You can therefore choose your PIN entropy based on what odds you wish to give to an attacker who is attempting to guess your PIN. Specifically, to make the probability of success no greater than P, the PIN entropy E should be:

E ≥  3 - (log P)/(log 2)

The table below shows how long your random PIN should be to limit the attacker’s probability of success to some value P, based on what character set is used:

*The “Alpha” column assumes letters of the same case (e.g., all lowercase).
**The “Alphanumeric” column assumes numbers and mixed-case letters (there was no significant improvement for going from single-case alphabetic to single-case alphanumeric PINs).
^†Because the minimum PIN length is 4 characters, these 3-character random PINs would have to be padded by adding a non-random character.

If you want to use a passphrase, the wordlist used by bitwarden (EFF’s long wordlist) contains 7776 entries, which is almost 13 bits. So three words should be roughly 39 bits

@NathanHuisman Welcome to the forum!

Yes, FIDO2 PINs can be up to 63 characters long, so it would in principle be possible to use a passphrase consisting of up to 8 words (with word separator characters) or up to 9 words (without separators).

However, I suspect that someone who wanted to reduce the attacker’s probability of success to less than one in a million would rather type a 4-character alphanumeric code (e.g., 8zbU) than a two-word passphrase (e.g., fretful-illusive), especially if they use their passkeys frequently.

On the other hand, for someone who felt it was important to reduce the attacker’s probability of success to at most P ≈10^-11, I could perhaps see that a three-word passphrase (e.g., slideshow-yoyo-open) may be more attractive as a PIN than something like a 7-character alphanumeric code (e.g., fP9eLo3)

@grb,

I don’t get the numeric column. If you use 4 digits, the range is 0-9999, which gives 10,000 combinations, so the probability should be 10^–4. A 6-digit number has a probability of 1 in a million, that’s 10^–6.

Not arguing against this reasoning but just making a possibly useful note here, there is this research paper: “User Behaviour in Choosing PIN Codes for FIDO2 Security Keys: An Empirical Study and a Market Research,” which has the following interesting observations (to me)

• The study was carried out in a medium-sized organization, wherein 40% of the deployed security keys were found to have simple, easily guessable PIN codes. (The PINs were manually tried.)
• Factors influencing PIN selection: 62% of participants indicated that they chose PIN codes that were easy for them to remember. 28% of participants admitted to selecting PIN codes that were convenient and quick to type. 45% of participants were unaware of the importance of strong PIN codes in ensuring security. 13% of participants stated that they chose their PIN codes based on recommendations or PIN codes used by colleagues. 56% of participants reported that they had not received any formal training or guidelines regarding PIN code selection.

Recommendations for users:

• Choose Security Keys with Enhanced PIN Complexity: Opt for FIDO2 keys like Token2’s ‘PIN+’ series that enforce stricter PIN requirements. Such keys help mitigate vulnerabilities associated with easily guessable PINs.
• Follow Best Practices for PIN Creation: Select PIN codes with a minimum length of 6 digits and avoid simple patterns, sequential numbers, and repeating digits. Ensure your PIN is not easily guessable and varies from common choices.
• Stay Informed: Keep up with the latest security recommendations and updates from key manufacturers to ensure that your PIN practices align with current best practices.

With academics and experts recommending a minimum of 6-digit PINs (and to stay away from easily guessable ones), and with manually tried guessable PINs found in 40% of the sampled security keys, it’s probably reasonable to guess that the majority of security key users would have a PIN that is 6 digits or less.

Yes, the probability of success would be 10^‑4 for a single guess. But an attacker can make 8 guesses before the YubiKey locks, so their overall probability of success would be 8×10^‑4 ≈ 10^‑3.

Yes, but just like with master passwords, the length is not the most important factor — the randomness is. The entropy associated with a 6-digit numerical PIN that is derived from a calendar date, telephone number, postal code, etc., is going to be considerably lower than 20 bits (the entropy of a randomly generated 6-digit numerical PIN).

This is a bit off-topic, but if you randomly generate a 4 or 6-digit PIN and end up with more familiar digits, e.g., a date-matching PIN, would you use that PIN, or would you generate another one until it doesn’t match a more commonly used PIN?

I don’t have the time to perform and present a quantitative analysis of the trade-offs involved, but my gut feeling is:

1. Yes, I would probably re-generate in this case.
2. If the likelihood that a random number generator produces a guessable PIN is significant, then the PIN length should probably be increased.

Since the 4-digit and most likely 6-digit PINs are thoroughly pawned, I wonder if a tool that lets me pick a “less familiar” but maybe not “thoroughly unfamiliar” PIN based on HaveIBeenPwned’s distributions may feel safer for me. But I also wonder if this kind of thinking is a bit obsessive.

I think that the better solution would be to use an alpha or alphanumeric sequence (randomly generated) as the PIN, which would have the added benefit of requiring a shorter PIN length for equal protection — e.g., jaxyb or r3Ek for a one-in-a-million probability of compromise.

Android apps still ask for 4 or 6-digit PINs. For example, 2FAS is set up by default to use a 4-digit PIN lock, which you can configure to be a 6-digit PIN. My recently installed ecommerce apps have asked for 6-digit PINs. These allow biometrics as the primary or secondary unlock mechanism, but a PIN is the basic/backup unlock mechanism.

@Neuron5569 Is there a direct relevance of this observation to the current thread, which is about User Verification PINs on YubiKeys (and other CTAP2-compliant passkey authenticators with clientPIN = true)?

Is there a particular reason you didn’t include passphrases in that table? – As you pointed out, YubiKeys allow 63 alphanumeric characters – and (numerical) PINs are not without issues (as just discussed) – I would be more than ever in favour of e.g. a 3-random-words passphrase. (~ 39 bits of entropy, given a pool of 7776 words, but not taking into account the 8 possible guesses)

(before there are any discussions about that: my current FIDO PIN is actually “stronger” than a 3-random-words passphrase – the latter was just an example for comparison, or alternative consideration)

I gave my opinion about that in this comment.