FIDO2 PIN reset

Nitrokeys FIDO2 / Nitrokey 3
1

Hello.

I recently read this post and want to test my key for fido.

But I can’t get it to work.

nitropy fido2 list
Command line tool to interact with Nitrokey devices 0.4.47
:: 'Nitrokey FIDO2' keys

and

nitropy nk3 test --pin 1234567
Command line tool to interact with Nitrokey devices 0.4.47
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw4

Running tests for Nitrokey 3 at /dev/hidraw4

[1/5]   uuid            UUID query                      SUCCESS         CD2ED10C99626554A13EAD1391B27468
[2/5]   version         Firmware version query          SUCCESS         v1.7.0
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus.0: 0>, ifs_blocks=50, efs_blocks=478, variant=<Variant.LPC55: 1>)
Running SE050 test: |                                                                                        
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (30716,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           FAILURE         (<ERR.BAD_REQUEST: 2>, CtapError('CTAP error: 0x31 - PIN_INVALID'))

5 tests, 4 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

Then I thought I used the wrong pin

nitropy nk3 test --pin 123456
Command line tool to interact with Nitrokey devices 0.4.47
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw4

Running tests for Nitrokey 3 at /dev/hidraw4

[1/5]   uuid            UUID query                      SUCCESS         CD2ED10C99626554A13EAD1391B27468
[2/5]   version         Firmware version query          SUCCESS         v1.7.0
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus.0: 0>, ifs_blocks=50, efs_blocks=478, variant=<Variant.LPC55: 1>)
Running SE050 test: |                                                                                        
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (30716,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           FAILURE         (<ERR.BAD_REQUEST: 2>, CtapError('CTAP error: 0x32 - PIN_BLOCKED'))

5 tests, 4 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

I even can not make a fido2 reset

nitropy fido2 reset
Command line tool to interact with Nitrokey devices 0.4.47
Reset is only possible 10secs after plugging in the device.
Please (re-)plug in your Nitrokey FIDO2 now!
Warning: Your credentials will be lost!!! continue? [(y)es/(n)o]: Y
choosing: yes
Press key to confirm -- again, your credentials will be lost!!!
Critical error:
Reset failed (CTAP error: 0x30 - NOT_ALLOWED)
Did you confirm with a key-press 10secs after plugging in?

Any Ideas?
I did not set a pin for the key for fido.
How can I reset this?

Regards
T.L

2

It is important that you only insert the key after you have selected “nitropy fido2 reset”.
And you only have 10 seconds for “yes” and for touching the key.

Does it work like this?

3

Yes that was the reason! :slight_smile:
Thank you!