I got pretty confused when I was recently asked by a crypto web service to create a PIN for my Yubikey. I realized that I’ve been using three Yubikeys as second factor for bitwarden, gmail, etc. without ever setting the FIDO2 Pin.
It is worth to mention that I only activated FIDO2 and FIDO U2F and disabled alle other methods on my three Yubikey 5 NFCs (USB-A and/or USB-C). You should also know that I used the FIDO2 WebAuthn option when registering my keys with bitwarden (see screenshot at the end).
So far to the setting, I did some testing on the bitwarden web login:
- I set a FIDO2 Pin on one of my Yubikeys and tried if I am still able to login to bitwarden. It worked and I was asked for touching the key. I was not asked for the pin.
- I disabled FIDO2 (via Yubikey manager) for the same Yubikey and tried to login: Worked again. Only asked for touching the key. (No Pin needed obviously)
- I disabled FIDO U2F and enabled FIDO2 instead (via Yubikey manager): Exactly same behaviour like in the case before. I get asked to touch the key. No asking for the Pin.
- I linked a totally new Yubikey to bitwarden, on which I had enabled FIDO U2F and FIDO2 AND on which I had created a FIDO2 pin before linking it to bitwarden: I got asked for the pin one single time when first tryting to link the key with my bitwarden account, but from this point on the pin is never ever needed again…
- I checked if a Yubikey as second factor gets permanently useless if you registered it to bitwarden with a FIDO2 Pin set and then later reset the key (Yubikey Manager). You lose access and bitwarden will not know the key anymore.
Now I ask myself basically the following questions:
- What is that FIDO2 Pin for if one is never asked for it besides when linking a new key to an account for the first time?
- Related to 1.: What additionally security is therefore provided by the pin? I just don’t see any additional security if the Pin is not always asked for.
- Why am I able to disable FIDO2 in the Yubikey Manager and only leave FIDO U2F enabled and still be able to login to bitwarden with the Yubikey without any problems - although the method, which is supposed to be used is FIDO2 WebAuthn? (see screenshot). Is FIDO2 some sort of downwards compatible with FIDO U2F or FIDO U2F upwards compatible with FIDO2 (depends how you want to see this
)? - I know that I WILL lose the ability to login with a Yubikey when having to use the FIDO2 reset function for a Yubikey (as in my examples above), but is it also possible to lose access when adding a FIDO2 Pin to a key, which did not have a Pin when first registering to a certain web service?
