Security Key PIN ignored with FIDO2 WebAuthn

I’ve got FIDO2 WebAuthn 2FA setup with two Yubico Security Key NFC keys. On both my security keys there is a PIN enabled.

The PIN is nicely requested when coupling the keys to Bitwarden. But during the actual login in to the vault afterwards I only need to touch the key. No PIN is verified. This is the same on both keys and on several platforms (Web, Android).

My security key PIN always gets verified with other services like Microsoft and Google.

Is this by design since it’s 2FA only, or am I missing something here?

Yes, it is by design. Since the key is acting as 2FA, PIN is not necessary.

1 Like

Thanks for the quick response!

Clear. Feels a bit les secure though. It’s not verified now if it’s the actual user on the second factor part? Only if someone has ‘the thing’ (the key).

With TOTP 2FA via Microsoft Authenticator for example someone would need ‘the thing’ (the phone) and must also supply the fingerprint before seeing the TOTP codes. So the user is also verified.

An Authenticator App looks more secure than a security key to me now. But curious on thoughts on this. :slight_smile:

The verification is pretty much done by the earlier authentication using the master password. You cannot reach the 2FA stage without passing the authentication part.

1 Like

One correction to this btw:

  • When used for 2FA Google also doesn’t request the PIN.
  • Microsoft does request the PIN when signing in with the key. But at MS the key is the primary sign-in mechanism, not the 2FA. No second factor is needed: key + PIN is enough. Guess the PIN is seen as a second factor, or they think the key itself is secure enough.