I saw the Windows 11 behavior for the two Yubikeys that I tested

43 views
Skip to first unread message

Alicia Rice

unread,
Sep 30, 2024, 10:15:45 AMSep 30
to FIDO Dev (fido-dev)
Hi,

Has anyone noticed that on Windows 11, if you attempt a passkey registration on a hardware security key that has been freshly reset and you try to set a PIN that is less than the min required PIN length, a pop-up dialog appears that says "Continue setup" and offers just a cancel button? On Windows 10, a pop-up dialog appears that asks the user to try a more complex PIN.

I saw the Windows 11 behavior for the two Yubikeys that I tested -- Yubikey 5 NFC and Yubikey Bio. I saw the behavior when using Chrome and Edge, and the dialog appears to be coming from Windows, so I think it's likely an issue in webauthn.dll.

Most users know that the default min PIN length is 4, but the CTAP 2.0 specification allows for a min PIN length that is greater than 4, and in CTAP 2.1 the minPINLength property was added to the authenticatorGetInfo response to allow the platform to get the min PIN length so that it can provide proper UI guidance.

Authenticators that support FIPS 140-3 have a min PIN length requirement of 8, so the UI guidance is very important.
Reply all
Reply to author
Forward
0 new messages