How to prevent PIN prompt when using YubiKey for authentication with usernameless flow?

[selmaskopljakovic]

Hello guys,

is it possible to configure app to prevent PIN prompt when using YubiKey for authentication with usernameless flow?
I need that flow without PIN. Is ist possible to configure windows-browser communication to prevent PIN?

Thank you so much,
Selma

[aseigler]

From what I recall from duo-labs/webauthn.io#13 userVerification has to be set to discouraged, and that will cause suppress PIN prompt. Haven't messed with this recently and not sure how the demo site is configured currently.

[selmaskopljakovic]

Thank you for your response!
Unfortunately, demo shows PIN prompt with userVerification set to discouraged.
It seems like somehow it always shows PIN prompt in case of usernameless/paswordless flow when using YubiKey authentication.
Could you or someone check this?
Thanks a lot

[mackie1001]

@selmaskopljakovic
My take on it is that typically you'd want PIN verification for usernameless/passwordless as that provides effective 2FA in a single roundtrip whereas discouraged could/should be used for the second factor flow where you don't want/need 3FA.

The clue about the intent is in the name "discouraged" - i.e. it's not "disallowed". Ultimately if the vendor decides that for a passwordless flow that the PIN must be used (if defined) then I don't think there's anything you can do about it via the WebAuthn API.

That said I'm exploring a usecase involving warehouse operatives using a browser-based application on Android-based guns equipped with NFC and it'd be pretty desirable to not require a PIN prompt in that situation (they want to eliminate as much typing as possible) . The solution may come down to choosing an NFC security key that can operate without additional PIN protection if that's what the customers ultimately want. That said, these devices do have a pretty chunky keypad which makes PIN entry pretty swift and painless so it may prove to be a non-issue.

I'd recommend raising this on the FIDO2 Google group as you're more likely to get input from spec authors and vendors there.

[aseigler]

I think I know what the issue is with the demo site and I am working on updates and enhancements on this branch https://github.com/passwordless-lib/fido2-net-lib/tree/demo-update

[selmaskopljakovic]

Hi Alex, Thank you so much! We are waiting for this update. P.S. Please let me know when you push an update. Thanks!

…

On Wed, Nov 17, 2021 at 6:42 PM Alex Seigler ***@***.***> wrote: I think I know what the issue is with the demo site and I am working on updates and enhancements on this branch https://github.com/passwordless-lib/fido2-net-lib/tree/demo-update — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#256 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALHUWQY6LN7F776HQUSYGYLUMPSRRANCNFSM5GLKGCLQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[selmaskopljakovic]

Hi @aseigler,

can you just confirm if it is possible to have no PIN prompt when using YubiKey for authentication with usernameless flow?
It is important for me to know in which direction to go in implementation of my project. I'm stuck with this part. The decision of the final solution depends on this PIN prompt in my case.

Thank you so much!
Selma