I’ve got FIDO2 WebAuthn 2FA setup with two Yubico Security Key NFC keys. On both my security keys there is a PIN enabled.
The PIN is nicely requested when coupling the keys to Bitwarden. But during the actual login in to the vault afterwards I only need to touch the key. No PIN is verified. This is the same on both keys and on several platforms (Web, Android).
My security key PIN always gets verified with other services like Microsoft and Google.
Is this by design since it’s 2FA only, or am I missing something here?
When used for 2FA Google also doesn’t request the PIN.
Microsoft does request the PIN when signing in with the key. But at MS the key is the primary sign-in mechanism, not the 2FA. No second factor is needed: key + PIN is enough. Guess the PIN is seen as a second factor, or they think the key itself is secure enough.