Is the yubikey PIN per device or per credential?
Arun Sudhir
Was trying to use a yubikey for FIDO2 authentication. Noticed that we can setup a PIN on the device with Yubikey manager. Looks like that is a yubikey-wide PIN. Do we have the flexibitly to setup a PIN for each credential pair that gets stored on the yubikey ?
The closest i found to make me think that is a DEVICE-SPECIFIC PIN is this link: https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html#:~:text=There%20is%20a%20limit%20of,of%20the%20user's%20account%20name. which says Device PIN at the very top.
Arun Sudhir
Was trying to use a yubikey for FIDO2 authentication. Noticed that we can setup a PIN on the device with Yubikey manager. Looks like that is a yubikey-wide PIN. Do we have the flexibitly to setup a PIN for each credential pair that gets stored on the yubikey ?
The closest i found to make me think that is a DEVICE-SPECIFIC PIN is this link: https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html#:~:text=There%20is%20a%20limit%20of,of%20the%20user's%20account%20name. which says Device PIN at the very top.
Thanks
Arun
John Bradley
Depending on the Yubikey that you have it will have multiple
protocols.
On all Fido2 capable Yubikeys there is a single PIN for Fido.
You can set or change the pin vis Windows 10 ms-settings:signinoptions-launchsecuritykeyenrollment
You can also do it in Chrome if you are not on Windows. chrome://settings/securityKeys
You could also use YubiKey Manager (on win 10 you need to run it
as admin so the Windows settings app is prefered.)
PIV is the PKIX smart card interface used by many Government and enterprise aplications. It has a PIN that is separate from The Fido 2 PIN.
If you have a YK4 FIPS key there is a pin for U2F but that is a much longer explination don't do FIPS unless someone is forcing you for some regulatory reason.
GPG-card also has a separate pin if you are using that.
Bottom line is there are multiple pin's on a YubiKey but they are one per application.
If it is a Fido 2 key Chrome and Windows will do the correct
thing to try and configure a PIN if a RP requests multifactor
authentication.
Fido2 dosen't support per credential pins.
John B.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABKFgsUgyT2j1om4rhv2DWT7pN6shNOuij0Con7Ht4tVcpA8RA%40mail.gmail.com.
Arun Sudhir
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/741bdb47-6ae9-9ae5-74c5-a9378232fd06%40ve7jtb.com.
Corey Sheldon (WA1EM)
Arun,
the device wide pin you are referring to is device wide and NOT
specific to any one application or credential. This is used in
SOME FIPS world usages for a secondary auth method, namely in the
event a YK is misplaced so that a mere use of it is not likely to
compromise the credentials. some applications like gpg on the yk
also require that pin for admin level commands/use on that YK.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABKFgsUiJSjUP-YU%3Dy42CrBTb%2BjCn4%2BaaYFLOu%2Bx3gSisK1fAg%40mail.gmail.com.