Limited PIN

Skip to first unread message

Jelena Drca

Jul 20, 2021, 10:20:39 AM7/20/21
to FIDO Dev (fido-dev)
Hello everyone, 

I have a question regarding the PIN and FIDO Conformance Tools. 

FIDO standard requires min length of PIN to be 4 and max 63. What if I want to limit PIN values to be only numbers and decrease max length? 

By standard that is valid. But, by running FIDO Conformance Tools test P-1 (P-1 Try setting new pin, that is of size between 5 and 63 characters, wait for the response, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00)). will fail because it generates random PIN value with size between 5 and 63 characters.

Can I limit PIN and still be verified by FIDO? 
Is there something that can be done to achieve goal to be verified and to have limited PIN? 

Thank you in advance, 
Kind regards

Mohan Lale

Jul 20, 2021, 10:34:14 AM7/20/21
to FIDO Dev (fido-dev),
Hi Jelen,

You can configure in FIDO2 Metadata in  userVerificationDetails   (minLength , maxRetries) tags,  shown below.

 "userVerificationDetails": [
        "userVerification": 1
        "userVerification": 4,
        "caDesc": {
          "base": 256,
          "minLength": 4,
          "maxRetries": 8,
          "blockSlowdown": 0

Thanks and Regards,

Philipp Junghannß

Jul 20, 2021, 11:07:34 AM7/20/21
to Jelena Drca, FIDO Dev (fido-dev)
Is there a reason why you want to have a numeric only pin?

If it is for a device with an integrated keypad i doubt that clientpin even applies, as it wouldn't be a pin supplied by the client and would be more closely to a direct method of uv (similar to fingerprint where the check also happens in device), although not sure.

However it says min length 4 Unicode characters, which sounds like it has to allow basically anything. 

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit


Jul 20, 2021, 11:48:45 AM7/20/21
to Philipp Junghannß, Jelena Drca, FIDO Dev (fido-dev)

Hi Jelena,


From the actual version of Client to Authenticator Protocol,


    An authenticator MAY impose arbitrary, additional constraints on PINs. If newPin fails to satisfy such ad-

    ditional constraints, the authenticator returns CTAP2_ERR_PIN_POLICY_VIOLATION.


You can indeed add arbitrary constraints if you need to comply with existing standards, but note that this should only be configuration specific in order to pass the conformance tests.


It’s impossible for the conformance tests to be both thorough and take into account every possible pin policy.


Best regards,



Thomas Duboucher

Philipp Junghannß

Jul 20, 2021, 12:00:51 PM7/20/21
to DUBOUCHER Thomas, Jelena Drca, FIDO Dev (fido-dev)
cool to know.

I totally overlooked that part (when using ctrl+F it's apparently deep in the series of steps for setting and changing PIN, rather than in the composition requirements, where one would actually look for such a thing, which is also the part where I looked.)
Reply all
Reply to author
0 new messages