FIDO2: Firefox asks for a device PIN that I never set

pixelcode · March 24, 2023, 6:05pm

For a few days now, Firefox has been asking me to enter some “device PIN” whenever I tried to log into any account that requires my Nitrokey FIDO2 key as the second factor (only 2FA, no password-less login). I never set any PIN for the key and don’t know why Firefox asks me for it.

I thought that it might refer to the Windows Hello PIN on my other laptop. Unfortunately, I don’t remember the PIN entirely, so I tried multiple versions of it. None of them worked, and now Firefox says that I need to reset the FIDO2 key because the PIN was entered incorrectly too often.

However, logging in with the FIDO2 stick in LibreWolf still works fine. According to https://update.nitrokey.com the firmware is up-to-date.

Even on https://update.nitrokey.com Firefox asked me to enter “the” PIN.

What should I do? Thank you!

Firefox: 112.0b6 (64-Bit), APT version
LibreWolf: 111.0.1-1, APT version
OS: Zorin OS 16.2, based on Ubuntu 20.04 LTS
Kernel: 5.15.0-67-generic

szszszsz · March 25, 2023, 7:08am

Hey!

As a workaround for now, you can disable the new CTAP2 behavior in Firefox in about:config, by setting security.webauthn.ctap2 to false. I believe this is worked on already, and unset PIN state should be supported in the next releases:
- Rework CTAP2.0 GetPinToken-workflow by msirringhaus · Pull Request #237 · mozilla/authenticator-rs · GitHub
The PIN attempt counter is 8 total, and 3 per boot. I hope you have not locked out your keys completely, but your Librewolf description suggests it still does work.

pixelcode · March 25, 2023, 5:14pm

Thanks, that has made the PIN prompts go away. What would it mean if I had exceeded the PIN attempts available (which is not unlikely)? Would I have to reset the FIDO2 key to use it for passwordless login?

(I never used the FIDO2 key for passwordless login and also never reset it.)

szszszsz · March 27, 2023, 12:06pm

Great!
After setting the PIN, the PIN attempts counter is activated. If it gets used up (due to invalid PIN entries), all further operations are locked, except for the factory reset operation (which removes all user data, including the FIDO master secret and the Resident Keys).
This should not be possible to execute accidentally though, so you should be pretty safe with your PIN-less usage.