Configure Fido u2f pin

Hello. Can i set a pin for the apex fido u2f applet?

In the FIDO world, key authentication can always be done, and a PIN is only used to additionally verify a user if the relying party requires that.

The U2F applet cannot do pin user verification, instead it signals one-shot verification, as you tap the token to the reader.

FIDO2 has the clientPin protocol implemented, which allows setting a PIN to do user verification.

These PINs are not designed to “lock-down” the applet.

I don’t really understand. First you write that it is not possible and then you write that it is possible. What do I do if a page requires a pin for user verification?

I think I know the problem here.

FIDO U2F is the first iteration of the FIDO standard (October 9, 2014). It is used for Universal 2 Factor only. It does not support PIN codes.

Then came FIDO2, which is a different FIDO standard (November 12, 2015). It supports full passwordless authentication as well as additional features over and above FIDO U2F, including PIN support.

When you deploy the “fido” applet for Apex Flex via Fidesmo, you can choose U2F or FIDO2. Our U2F applet is feature complete, but our FIDO2 applet is still in rough shape and it is a BETA version only. You cannot install both U2F and FIDO2 on the same device, they are not compatible side by side.

If you use the Apex Manager app, it will tell you which applet you have installed… if it’s U2F or FIDO2. I personally have the U2F applet deployed for two reasons; 1) our U2F applet is stable and finished while the FIDO2 applet is kinda garbage right now, and 2) almost all websites support U2F but only a few things support / require FIDO2

The FIDO protocols have essentially two levels of how “trustworthy” a response from the authenticator is:

  • user not verified
  • user verified

A response and signature using the private key is generated in both cases. It is up to the website to require that kind of additional user verification.

User verification can be done by e.g.:

  • Implicit physical presence (tap via NFC), this is done in the U2F applet
  • Biometrics on the chip itself, e.g.a fingerprint reader
  • Entering and transmitting a PIN code from the host PC, this is implemented in FIDO2

FIDO2 requires user verification if a so called resident key shall be created, i.e. persistently stored on the authenticator itself. U2F does not support resident keys.

I suppose your website tries to generate a resident key, and then tries to force a PIN. This should not happen if the Browser detects a U2F key.

Which Browser, operating system and website are you having problems with?

Edit: also, the current FIDO2 beta on Fidesmo is very unstable, but will receive an update soon.

I testing the applet on and yubico playground. When i check passwordless it times out but it works fine when i uncheck passwordless and user verification

Sounds like you have u2f installed, not Fido2.

Webauthn is a fido2 thing… however, fido2 supports an optional feature called fallback which allows the use of u2f for two factor. Passwordless features are only available for fido2, which is why it only works when unchecked… you have the u2f applet installed and is falling back to u2f in your testing.

Ok. Tnx

I made this diagram (might not be 100% correct but enough to get the point across):

As Amal explained, passwordless (i.e. extract the user name from the authenticator) requires discoverable aka. resident keys, which only are supported in FIDO2.

Because browsers and operating systems know that resident keys require user verification, they prompt for a PIN code (the most basic form of user verification), even though the authenticator can’t do it.