FIDO2: Firefox asks for a device PIN that I never set

For a few days now, Firefox has been asking me to enter some “device PIN” whenever I tried to log into any account that requires my Nitrokey FIDO2 key as the second factor (only 2FA, no password-less login). I never set any PIN for the key and don’t know why Firefox asks me for it.

I thought that it might refer to the Windows Hello PIN on my other laptop. Unfortunately, I don’t remember the PIN entirely, so I tried multiple versions of it. None of them worked, and now Firefox says that I need to reset the FIDO2 key because the PIN was entered incorrectly too often.

However, logging in with the FIDO2 stick in LibreWolf still works fine. According to the firmware is up-to-date.

Even on Firefox asked me to enter “the” PIN.

What should I do? Thank you!

Firefox: 112.0b6 (64-Bit), APT version
LibreWolf: 111.0.1-1, APT version
OS: Zorin OS 16.2, based on Ubuntu 20.04 LTS
Kernel: 5.15.0-67-generic


  1. As a workaround for now, you can disable the new CTAP2 behavior in Firefox in about:config, by setting security.webauthn.ctap2 to false. I believe this is worked on already, and unset PIN state should be supported in the next releases:
  2. The PIN attempt counter is 8 total, and 3 per boot. I hope you have not locked out your keys completely, but your Librewolf description suggests it still does work.
1 Like

Thanks, that has made the PIN prompts go away. What would it mean if I had exceeded the PIN attempts available (which is not unlikely)? Would I have to reset the FIDO2 key to use it for passwordless login?

(I never used the FIDO2 key for passwordless login and also never reset it.)

After setting the PIN, the PIN attempts counter is activated. If it gets used up (due to invalid PIN entries), all further operations are locked, except for the factory reset operation (which removes all user data, including the FIDO master secret and the Resident Keys).
This should not be possible to execute accidentally though, so you should be pretty safe with your PIN-less usage.

1 Like