How to prevent PIN prompt when using YubiKey for authentication with usernameless flow?

920 views
Skip to first unread message

Selma Skopljakovic

unread,
Nov 3, 2021, 5:50:27 PM11/3/21
to FIDO Dev (fido-dev)
Hello everyone,

is it possible to configure app to prevent PIN prompt when using YubiKey for authentication with usernameless flow?
I need that flow without PIN. Is it possible to configure windows-browser communication to prevent PIN?

I already asked this at GitHub of FIDO2 Demo project and got answer to proceed question to this group. https://github.com/passwordless-lib/fido2-net-lib/issues/256#issuecomment-958995820

Thank you so much,
Selma

Funda Secgin

unread,
Nov 4, 2021, 8:26:04 AM11/4/21
to Selma Skopljakovic, FIDO Dev (fido-dev)
Merhaba iyi günler dilerim
Teşekkür ederim e postanizi aldım fakat benim bulunduğum şehirde satılmıyor bir çok yerde araştırma yaptım ve bulamadım
Saygılarımla

Fs

4 Kas 2021 Per 00:50 tarihinde Selma Skopljakovic <selma.sko...@gmail.com> şunu yazdı:
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6d382642-d677-44c4-9cf1-79c075c4d4a8n%40fidoalliance.org.

Philipp Junghannß

unread,
Nov 4, 2021, 8:39:07 AM11/4/21
to Selma Skopljakovic, FIDO Dev (fido-dev)
as Usernameless is also passwordless the PIN can be generally set to required by the FIDO Client (The browser or if the OS intercepts, like with Windows 10, the OS) with not much options to override that, and considering it's supposed to be a 2 Factor Solution that is understandable. in the plain U2F-style solution you are supposed to ask for Username and password while in both passwordless and usernameless there is not supposed to be a password meaning you would need the PIN to get a decent 2FA, also obviously enough on usernameless the data like the site and a pretty display name and a user name (which often is the email) will be stored alongside for selecting one credential if multiple exist. This obviously could lead to privacy issues if the PIN wasn't required, so I wouldn't be surprised if the PIN would be enforced by several FIDO Devices themselves as well.

Regards.

--

John Bradley

unread,
Nov 4, 2021, 9:26:44 AM11/4/21
to Selma Skopljakovic, FIDO Dev (fido-dev)
The password less flow is typically intended to be multi-factor, so in most cases you want pin or biometric.  

However some specialized use cases may want single factor for some reason.  

If the credential is created with CredProtect userVerificationOptional, then you can send getAssertion with UV discouraged and the user won't be prompted for verification.  

The catch is that if there are multiple discoverable credentials for the RPID the user will get a pick list with no user name information, for privacy reasons. 

I have seen this deployed using NFC readers for what Microsoft calls a tap and go login.  This is typically used in call centres and in medical situations where typing a pin or providing a fingerprint is not practical. 

John B. 

--
Reply all
Reply to author
Forward
0 new messages