Methods to block use of easy to guess, common PINs?

[Car Phone]

Do any FIDO2 keys have the ability to block the most common and weak PINs such as repeating and sequential numbers?

Examples: 1234, 000000.

The fact those are accepted as valid PINs, means some users will set those PINs and defeat the purpose of having a PIN.

Since Office 365 (maybe others) has a sign in option for security keys that will autocomplete the user name for you by reading it from the key, having a PIN set as 1234 makes the security key a threat to security rather than an enhancement.

[John Bradley]

We did talk about adding pin policies beyond minimum length in CTAP2.1, but no action was taken.  

I think NIST is going to add some minimal pin complexity rules to SP800-63 so it may come up again for CTAP2.2.  

Nothing stops an authenticator vendor from adding that now, the issue will mostly be having sensible error messages for the user. 

For Office365 you are probably talking about discoverable credentials.  Yes a weak local pin is a problem.  Though an stacker only has 8 attempts before the key permanently locks.  So they need to be a bit lucky as well.  

John B

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c06db23e-bd72-403a-9ce0-bd67d3b6738dn%40fidoalliance.org.

[Car Phone]

Yes, it's true that blocking after 8 attemps before blocking is plenty secure if the PIN is decent, but it doesn't take luck to guess 1234 before trying 7 other options.  Most likey, anyone will guess 1234 as the first or second attempt between that number and 0000.

Vendors say they can't do anything:

Yubico:

Unfortunately, there is not a way to enforce a stronger pin requirement on the YubiKey. However, FIDO2 PINs can be up to 128 alphanumeric characters (in other words, letters and numbers). For more information regarding PINs please see our Understanding YubiKey PINs article. 

[C]an we enforce minimum PIN length to be longer than 6 digits?  For instance 8 or more?

[...]

We just want to way to prevent the most easily guessed and common PIN codes from being used.

Unfortunately, there is no way to do this, but I want to clarify - even if someone knows/can guess a user's PIN, it shouldn't allow them to do anything without also having access to the corresponding YubiKey.

I would definitely recommend reaching out to the FIDO Alliance (https://fidoalliance.org/) as well regarding these standards that are set.

============================================================================================

Trust Key

They said they may be able to do something custom with an order of 10000 or more keys.  It involves providing software that needs to be installed on PCs where the user sets a PIN of their choice, enrolls their fingerprint for biometric authentication, and then they user has to agree to the software resetting their PIN to a strong PIN that is not disclosed to them.  The user then has to always use biometrics.

That's still a poor solution.

They said making stronger PIN requirements in the hardware would take their devices out of compliance with FIDO2 standards.

=========================================================

Feitian never responded.

[DUBOUCHER Thomas]

FIDO 2.1 already allows to enforce a minimal PIN length on a FIDO security key as an optional, but note that setting the minimal length to 6 still doesn’t prevent the user from setting the pin value to 123456.

 

FIDO 2.0 has always allowed the vendor to configure additional PIN policies, though I’m not aware of any doing it already.

 

As John mentioned, the solution is probably to wait for up-to-date recommendations from NIST. They already provide some for entropy estimation, but as far as I remember it is stuck into the ASCII plane.

 

Another temporary solution would be for Windows Hello et al. to warn the user when setting a weak PIN.

 

Best regards,

 

--

Thomas Duboucher

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/dd373fce-7be1-4157-bfbf-196b03933a35n%40fidoalliance.org.