Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

PIN set issue with webauthn

124 views
Skip to first unread message

Nour Alqarmy

unread,
Nov 22, 2024, 12:05:37 PM11/22/24
to FIDO Dev (fido-dev)
Most users know that the default min PIN length is 4, but the CTAP 2.0 specification allows for a min PIN length that is greater than 4, and in CTAP 2.1 the minPINLength property was added to the authenticatorGetInfo response to allow the platform to get the min PIN length so that it can provide proper UI guidance.

Authenticators that support FIPS 140-3 have a min PIN length requirement of 8, so the UI guidance is very important.

Tim Cappalli

unread,
Nov 22, 2024, 12:16:04 PM11/22/24
to Nour Alqarmy, FIDO Dev (fido-dev)
Hi - can you please expand on your question? It is not clear.

On Fri, 22 Nov 2024 at 12:05, Nour Alqarmy <noura...@gmail.com> wrote:
Most users know that the default min PIN length is 4, but the CTAP 2.0 specification allows for a min PIN length that is greater than 4, and in CTAP 2.1 the minPINLength property was added to the authenticatorGetInfo response to allow the platform to get the min PIN length so that it can provide proper UI guidance.

Authenticators that support FIPS 140-3 have a min PIN length requirement of 8, so the UI guidance is very important.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8f016a2a-3d11-4ab1-90f3-132944560b06n%40fidoalliance.org.

My1

unread,
Nov 22, 2024, 1:51:29 PM11/22/24
to Tim Cappalli, Nour Alqarmy, FIDO Dev (fido-dev)
I think they are reposting part of this from august but forgot the most important oart.

Full quote:

Hi,

Has anyone noticed that on Windows 11, if you attempt a passkey registration on a hardware security key that has been freshly reset and you try to set a PIN that is less than the min required PIN length, a pop-up dialog appears that says "Continue setup" and offers just a cancel button? On Windows 10, a pop-up dialog appears that asks the user to try a more complex PIN.

I saw the Windows 11 behavior for the two Yubikeys that I tested -- Yubikey 5 NFC and Yubikey Bio. I saw the behavior when using Chrome and Edge, and the dialog appears to be coming from Windows, so I think it's likely an issue in webauthn.dll.

Most users know that the default min PIN length is 4, but the CTAP 2.0 specification allows for a min PIN length that is greater than 4, and in CTAP 2.1 the minPINLength property was added to the authenticatorGetInfo response to allow the platform to get the min PIN length so that it can provide proper UI guidance.

Authenticators that support FIPS 140-3 have a min PIN length requirement of 8, so the UI guidance is very important.

End quote.

So, someone had an issue with how it was handled on Windows 11 as that didn't have any UI for the extra requirements.

Regards
My1

Reply all
Reply to author
Forward
0 new messages