Fido2 sometimes prompts for PIN

pedro martelletto pedro at ambientworks.net
Thu Aug 25 17:21:31 AEST 2022


On Thu, Aug 25, 2022, at 8:34 AM, Jeremy Hansen wrote:
> Yubikey BIO.
>
> I’m noticing it consistently prompts me for pin when I use a different 
> fingerprint, so I guess what seemed to be a random prompt for my PIN is 
> just me not touching the key properly. This also explains why it 
> prompts for a touch the section time. I’d like to always prompt for PIN.
>
> I also noticed if I use the wrong fingerprint, as long as my PIN is 
> correct, it allows me to proceed. I guess I expected that a second bad 
> fingerprint after the PIN prompt would kick me out.

I am afraid that is by design. Fingerprint verification and PIN authentication are codified as equivalent forms of user verification in FIDO2. They satisfy the same criteria from the verifier's perspective, and there is no way for the verifier to know which method was used.

(Apologies in advance if the formatting of this message is skewed; I am typing it from a browser.)

-p.


More information about the openssh-unix-dev mailing list