--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c06db23e-bd72-403a-9ce0-bd67d3b6738dn%40fidoalliance.org.
[C]an we enforce minimum PIN length to be longer than 6 digits? For instance 8 or more?
[...]
We just want to way to prevent the most easily guessed and common PIN codes from being used.
FIDO 2.1 already allows to enforce a minimal PIN length on a FIDO security key as an optional, but note that setting the minimal length to 6 still doesn’t prevent the user from setting the pin value to 123456.
FIDO 2.0 has always allowed the vendor to configure additional PIN policies, though I’m not aware of any doing it already.
As John mentioned, the solution is probably to wait for up-to-date recommendations from NIST. They already provide some for entropy estimation, but as far as I remember it is stuck into the ASCII plane.
Another temporary solution would be for Windows Hello et al. to warn the user when setting a weak PIN.
Best regards,
--
Thomas Duboucher
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/dd373fce-7be1-4157-bfbf-196b03933a35n%40fidoalliance.org.