Idea for Clients: "use PIN instead" button when using FP-enabled FIDO2-Stick

[My1]

Hi again,

just some stupid idea that could maybe some people thinking about implementations might wanna think about.

most places where you have fingerprint and other methods you often get a choice on what to use right from the get go, with FIDO you apparently get to exhaust your fingerprint attempts before being able to use your PIN (which technically isnt required but seemingly no one gives an obvious option), which can be kinda annoying when the UV retries is allowed to go up to 25

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#uvretries

additionally the few Fido Tokens with fingerprint support I had (from eWBM/Trustkey and Token2 so far) only spawn a "failed fingerprint" after 3 attempts, with the UV retry iirc normally sitting between 3 and 5 as far as I remember.

this means 9-15 futile tries if you know you cannot use your fingerprint (e.g. dirty hands or a shared stick your FPs aren't on yet)

interestingly fido2-token immediately goes for PIN after the first fingerprint error (which is still 3 scans but for a CLI software with limited options, that's as good as it gets)

but having just a "use PIN" button when using a fingerprint enabled FIDO2-stick seems a pretty easy thing that can make them less annoying to use.

Regards

My1