Confusion with FIDO U2F and FIDO2 Login and that FIDO2 PIN

I got pretty confused when I was recently asked by a crypto web service to create a PIN for my Yubikey. I realized that I’ve been using three Yubikeys as second factor for bitwarden, gmail, etc. without ever setting the FIDO2 Pin.

It is worth to mention that I only activated FIDO2 and FIDO U2F and disabled alle other methods on my three Yubikey 5 NFCs (USB-A and/or USB-C). You should also know that I used the FIDO2 WebAuthn option when registering my keys with bitwarden (see screenshot at the end).

So far to the setting, I did some testing on the bitwarden web login:

  • I set a FIDO2 Pin on one of my Yubikeys and tried if I am still able to login to bitwarden. It worked and I was asked for touching the key. I was not asked for the pin.
  • I disabled FIDO2 (via Yubikey manager) for the same Yubikey and tried to login: Worked again. Only asked for touching the key. (No Pin needed obviously)
  • I disabled FIDO U2F and enabled FIDO2 instead (via Yubikey manager): Exactly same behaviour like in the case before. I get asked to touch the key. No asking for the Pin.
  • I linked a totally new Yubikey to bitwarden, on which I had enabled FIDO U2F and FIDO2 AND on which I had created a FIDO2 pin before linking it to bitwarden: I got asked for the pin one single time when first tryting to link the key with my bitwarden account, but from this point on the pin is never ever needed again…
  • I checked if a Yubikey as second factor gets permanently useless if you registered it to bitwarden with a FIDO2 Pin set and then later reset the key (Yubikey Manager). You lose access and bitwarden will not know the key anymore.

Now I ask myself basically the following questions:

  1. What is that FIDO2 Pin for if one is never asked for it besides when linking a new key to an account for the first time?
  2. Related to 1.: What additionally security is therefore provided by the pin? I just don’t see any additional security if the Pin is not always asked for.
  3. Why am I able to disable FIDO2 in the Yubikey Manager and only leave FIDO U2F enabled and still be able to login to bitwarden with the Yubikey without any problems - although the method, which is supposed to be used is FIDO2 WebAuthn? (see screenshot). Is FIDO2 some sort of downwards compatible with FIDO U2F or FIDO U2F upwards compatible with FIDO2 (depends how you want to see this :slight_smile: )?
  4. I know that I WILL lose the ability to login with a Yubikey when having to use the FIDO2 reset function for a Yubikey (as in my examples above), but is it also possible to lose access when adding a FIDO2 Pin to a key, which did not have a Pin when first registering to a certain web service?


Thanks for raising the issue. I also wanted to use PIN together with Yubikey Webauth since a lost/stolen key, together with my Bitwarden login user/password, can grant access to my vault.

Should we submit a feature request?


As I did not get any reply here for months, I assume that it is useless :slight_smile: . But on the other hand I might ask this specific question to the support for paying customers. Because I still don’t unterstand, which implementation is used for bitwarden and how it should actually be working… I know from binance for example that there is always asked for the yubikey pin in addition to having to press the sensitive area. I don’t know why bitwarden works kind of different here.

1 Like


Its actually a matter of implementation, since the part of the protocol between the user device and the authenticator (CTAP2) includes the possibility of requiring that the user proves that he/she is the legit owner of the authenticator device by providing a PIN code (something known) or biometric data (something he/she is), as is the case with Binance, Azure/Microsoft and others.

Today I sent a message to Bitwarden about this as a feature request and copied this thread for their reference. I’ve got a reply saying my suggestion has been forwarded to product engineering.

I think it is a good idea to open a support ticket as you mentioned.

I was confused about the same thing.
I thought the pin would be used for something.