PIN Length Error

Daniel Bujak

unread,

Jun 20, 2025, 7:50:11 AMJun 20

to FIDO Dev (fido-dev)

Hi all, I'm working with a few different FIDO2 devices and noticed recently some different behavior between an custom device (let's call it DeviceA) and a Yubikey that was not present before.

The issue is that when setting the PIN for the first time on Chrome on MacOS, if I enter a PIN that is too short, it fails in a non-descript way on DeviceA, while on the Yubikey, the Chrome prompt indicates that the pin was too short.

I'm guessing it has something do with the fact that DeviceA is CTAP2.0 only and cannot specify a min pin length in the authenticator info, while the Yubikey is CTAP2.1. However, when I test this using fido2.ctap Python library, both return error 0x37.

Does anyone have a better understanding of what the key management in Chrome is doing and if there is some reason that it's no longer able to prompt for longer pin on DeviceA?

SilentFailure.jpg

PinFailure.jpg

My1

unread,

Jun 20, 2025, 9:37:51 AMJun 20

to Daniel Bujak, FIDO Dev (fido-dev)

device A likely doesnt respond with CTAP2_ERR_PIN_POLICY_VIOLATION

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#error-responses

no idea what it does spit out likely just something that trips up the browser.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4375ce7a-9eb0-44bc-a038-8e98c2252528n%40fidoalliance.org.

buja...@gmail.com

unread,

Jun 20, 2025, 11:56:05 AMJun 20

to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Daniel Bujak

When I try setting invalid PINs using https://github.com/Yubico/python-fido2, I do see both devices return 0x37 (CTAP2_ERR_PIN_POLICY_VIOLATION).

mahmoud nabil

unread,

Jun 21, 2025, 10:06:48 AMJun 21

to My1, Daniel Bujak, FIDO Dev (fido-dev)

اعتقد انني قررت بحذف الحساب وبيع الجيميل لشخص صاحب خبره

انا لا استطيع التعامل مع كل هذه الفخاخ اللتي اتعرض لها

هناك شخص ما سيقدم نفسه قريبا

وهو صاحب خبره

سيقوم بمراجعه كل الشهادات

وسأقوم بعمل التفويض اللازم له

لإداره الحساب

أنا من قام بتوثيق الشهادات في البدايه

وتم التلاعب بها

لذلك قررت بيع هذا الحساب نهائيا لهذا الشخص

بمقابل مادى

وذلك بسبب ماتعرضت له من خسائر نفسيه وماديه

شكرا لك اخي علي اهتمامك

To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpw3BBcMYOJZ_ghiHcBRRM-5pjpaZ_YRxZe%2B-HW5Kgoiw%40mail.gmail.com.

Skybird Le

unread,

Jun 22, 2025, 9:28:54 PMJun 22

to FIDO Dev (fido-dev), mahmoud nabil, Daniel Bujak, FIDO Dev (fido-dev), My1

you can check if getInfo https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#ref-for-getinfo-minpinlength is called before or after setPIN

Reply all

Reply to author

Forward