Setting up Webauthn today.
I set a PIN on the FIDO2 interface of my Yubikeys and then added them to the few accounts that permit Webauthn.
I noted that every site asks for the PIN from the Yubikey as expected. That is every site except Bitwarden which does not ask for the PIN.
So I searched the code and I find that this is intentional.
UserVerification = UserVerificationRequirement.Discouraged
Can anyone explain why it is a good idea to bypass the PIN?
The key idea behind 2FA is that you need to provide something you know and something you have. What you know is your password and what you have is your FIDO2 device. Requiring an additional PIN would not really make sense. It does for passwordless authentication (e.g. with Microsoft), where the PIN replaces the password as the factor you know.
By the way, many websites let FIDO2 devices ask for their PIN because thatâs the default (user verification = preferred), but they donât perform verification on the server side. You can verify this by unchecking FIDO2 in the YubiKey Manager (only keep U2F). Youâll then probably still be able to login, while no PIN prompt will appear.
Thanks for the response @guillaume
In the mean time I have had fun tracing the change back to these
They basically say that as Webauthn is being used for 2FA then the PIN just hinders the process (as did guillaume) so should be inhibited.
I think this server-side enforcement of Yubikey PINs annoying and inconsistent. I see the value of a PIN. For example, passwordless login or local threats so people canât tap your Yubikey in a workplace, etc. However, I would prefer Yubikeyâs implementation be client-side. Set a PIN for the sites I want and none for others, based on my preference. The current approach means I am sometimes prompted for a PIN and others not and it just seems haphazard. None of this is Bitwardenâs fault, of course.
So this is FIDO 2 Webauthn and not U2F? Also, does it use a resident key?
Can someone explain it to me further, because I was under the impression that âno pinâ <=> U2F. This thread seems to imply that this is not actually the case, but⌠this does not stop my confusion, becauseâŚ
in Yubikey manager I see the list of resident keys and I donât see the key for bitwarden there. On the other hand, I donât see anything about âU2Fâ like in this help page Passkey Two-Step Login | Bitwarden
Can someone help me please? Iâm totally confused
UPD: I did an experiment and turned off FIDO U2F on the device and bitwarden still allowed me log in. So this probably means that this is not U2F, but a non-resident FIDO 2 webauthn, which I thought was not a thing.
No expert here, but itâs FIDO2 / WebAuthn protocol (and not the FIDO/âFIDO1â U2F protocol).
(â> Passkey Two-Step Login | Bitwarden)
And it uses a non-discoverable credential (or server-side credential â ânon-residentâ would be a somewhat outdated terminology).
See this lengthy and also âconfusingâ â or âconfusedâ 
â thread: Discussion about U2F vs FIDO2 passkeys for Bitwarden Two-Step Login
Itâs a thing â I posted the definitions here: Make Login Passkeys Identifiably Distinct from 2FA Passkeys on End Device - #18 by Nail1684
PS: The discussion about WebAuthn and U2F seems to be even more complicated â see this discussion here. If I sum up that discussion correctly, even older (FIDO1) âU2Fâ keys can still be added, but they then use the (FIDO2) WebAuthn protocol. (however this technically works⌠donât ask meâŚ)
This is inaccurate. When using FIDO2 Webauthn credentials, the service that you are authenticating to (the so-called ârelying partyâ, or RP) specifies whether the login procedure (known as the âauthentication ceremonyâ) must use user presence or user verification before proceeding with the login process (i.e., using the FIDO2 credentials to complete the challenge).
If the RP specifies that the authentication ceremony must include a check for user presence, then the authenticator (i.e., the Yubikey or whatever other entity is storing the FIDO2 credentials) must require the user to interact with the authenticator (e.g., tapping the Yubikey). This does not require the use of a PIN.
In contrast, if the RP requires user verification, then the authenticator must perform a check to determine that the person requesting to use the FIDO2 credentials is the same person who created the credential. Commonly, this means that the user must enter a PIN. However, there are alternative user verification methods (for example, biometrics can also be used), in which case there is no need to enter a PIN.
The bottom line is that there are many common cases in which FIDO2 Webauthn credentials are used with no PIN.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
