I set a PIN on the FIDO2 interface of my Yubikeys and then added them to the few accounts that permit Webauthn.
I noted that every site asks for the PIN from the Yubikey as expected. That is every site except Bitwarden which does not ask for the PIN.
So I searched the code and I find that this is intentional.
The key idea behind 2FA is that you need to provide something you know and something you have. What you know is your password and what you have is your FIDO2 device. Requiring an additional PIN would not really make sense. It does for passwordless authentication (e.g. with Microsoft), where the PIN replaces the password as the factor you know.
By the way, many websites let FIDO2 devices ask for their PIN because thatâs the default (user verification = preferred), but they donât perform verification on the server side. You can verify this by unchecking FIDO2 in the YubiKey Manager (only keep U2F). Youâll then probably still be able to login, while no PIN prompt will appear.
I think this server-side enforcement of Yubikey PINs annoying and inconsistent. I see the value of a PIN. For example, passwordless login or local threats so people canât tap your Yubikey in a workplace, etc. However, I would prefer Yubikeyâs implementation be client-side. Set a PIN for the sites I want and none for others, based on my preference. The current approach means I am sometimes prompted for a PIN and others not and it just seems haphazard. None of this is Bitwardenâs fault, of course.