Why doesn't Bitwarden ask for the FIDO2 PIN when using Webauthn?

Setting up Webauthn today.

I set a PIN on the FIDO2 interface of my Yubikeys and then added them to the few accounts that permit Webauthn.
I noted that every site asks for the PIN from the Yubikey as expected. That is every site except Bitwarden which does not ask for the PIN.
So I searched the code and I find that this is intentional.

        UserVerification = UserVerificationRequirement.Discouraged

Can anyone explain why it is a good idea to bypass the PIN?

1 Like

The key idea behind 2FA is that you need to provide something you know and something you have. What you know is your password and what you have is your FIDO2 device. Requiring an additional PIN would not really make sense. It does for passwordless authentication (e.g. with Microsoft), where the PIN replaces the password as the factor you know.

By the way, many websites let FIDO2 devices ask for their PIN because that’s the default (user verification = preferred), but they don’t perform verification on the server side. You can verify this by unchecking FIDO2 in the YubiKey Manager (only keep U2F). You’ll then probably still be able to login, while no PIN prompt will appear.

Thanks for the response @guillaume

In the mean time I have had fun tracing the change back to these

They basically say that as Webauthn is being used for 2FA then the PIN just hinders the process (as did guillaume) so should be inhibited.

1 Like

I think this server-side enforcement of Yubikey PINs annoying and inconsistent. I see the value of a PIN. For example, passwordless login or local threats so people can’t tap your Yubikey in a workplace, etc. However, I would prefer Yubikey’s implementation be client-side. Set a PIN for the sites I want and none for others, based on my preference. The current approach means I am sometimes prompted for a PIN and others not and it just seems haphazard. None of this is Bitwarden’s fault, of course.

2 Likes

So this is FIDO 2 Webauthn and not U2F? Also, does it use a resident key?

Can someone explain it to me further, because I was under the impression that “no pin” <=> U2F. This thread seems to imply that this is not actually the case, but… this does not stop my confusion, because…

in Yubikey manager I see the list of resident keys and I don’t see the key for bitwarden there. On the other hand, I don’t see anything about “U2F” like in this help page Passkey Two-Step Login | Bitwarden

Can someone help me please? I’m totally confused

UPD: I did an experiment and turned off FIDO U2F on the device and bitwarden still allowed me log in. So this probably means that this is not U2F, but a non-resident FIDO 2 webauthn, which I thought was not a thing.

No expert here, but it’s FIDO2 / WebAuthn protocol (and not the FIDO/“FIDO1” U2F protocol).

(–> Passkey Two-Step Login | Bitwarden)

And it uses a non-discoverable credential (or server-side credential – “non-resident” would be a somewhat outdated terminology).

See this lengthy and also “confusing” – or “confused” :sweat_smile: – thread: Discussion about U2F vs FIDO2 passkeys for Bitwarden Two-Step Login

It’s a thing – I posted the definitions here: Make Login Passkeys Identifiably Distinct from 2FA Passkeys on End Device - #18 by Nail1684

PS: The discussion about WebAuthn and U2F seems to be even more complicated – see this discussion here. If I sum up that discussion correctly, even older (FIDO1) “U2F” keys can still be added, but they then use the (FIDO2) WebAuthn protocol. (however this technically works… don’t ask me…)

1 Like

This is inaccurate. When using FIDO2 Webauthn credentials, the service that you are authenticating to (the so-called “relying party”, or RP) specifies whether the login procedure (known as the “authentication ceremony”) must use user presence or user verification before proceeding with the login process (i.e., using the FIDO2 credentials to complete the challenge).

If the RP specifies that the authentication ceremony must include a check for user presence, then the authenticator (i.e., the Yubikey or whatever other entity is storing the FIDO2 credentials) must require the user to interact with the authenticator (e.g., tapping the Yubikey). This does not require the use of a PIN.

In contrast, if the RP requires user verification, then the authenticator must perform a check to determine that the person requesting to use the FIDO2 credentials is the same person who created the credential. Commonly, this means that the user must enter a PIN. However, there are alternative user verification methods (for example, biometrics can also be used), in which case there is no need to enter a PIN.

The bottom line is that there are many common cases in which FIDO2 Webauthn credentials are used with no PIN.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.