Why doesn't Bitwarden ask for the FIDO2 PIN when using Webauthn?

Setting up Webauthn today.

I set a PIN on the FIDO2 interface of my Yubikeys and then added them to the few accounts that permit Webauthn.
I noted that every site asks for the PIN from the Yubikey as expected. That is every site except Bitwarden which does not ask for the PIN.
So I searched the code and I find that this is intentional.

        UserVerification = UserVerificationRequirement.Discouraged

Can anyone explain why it is a good idea to bypass the PIN?

1 Like

The key idea behind 2FA is that you need to provide something you know and something you have. What you know is your password and what you have is your FIDO2 device. Requiring an additional PIN would not really make sense. It does for passwordless authentication (e.g. with Microsoft), where the PIN replaces the password as the factor you know.

By the way, many websites let FIDO2 devices ask for their PIN because that’s the default (user verification = preferred), but they don’t perform verification on the server side. You can verify this by unchecking FIDO2 in the YubiKey Manager (only keep U2F). You’ll then probably still be able to login, while no PIN prompt will appear.

Thanks for the response @guillaume

In the mean time I have had fun tracing the change back to these

They basically say that as Webauthn is being used for 2FA then the PIN just hinders the process (as did guillaume) so should be inhibited.

1 Like

I think this server-side enforcement of Yubikey PINs annoying and inconsistent. I see the value of a PIN. For example, passwordless login or local threats so people can’t tap your Yubikey in a workplace, etc. However, I would prefer Yubikey’s implementation be client-side. Set a PIN for the sites I want and none for others, based on my preference. The current approach means I am sometimes prompted for a PIN and others not and it just seems haphazard. None of this is Bitwarden’s fault, of course.

2 Likes