Individual PINs for FIDO2 keys?

When I create SSH keys with ssh-keygen, it asks for the NK3 PIN:

Enter PIN for authenticator: 

When I use the key (generated with -O verify-required), I have to use the NK3 PIN to answer the prompt:

Enter PIN for ED25519-SK key .ssh/buexe.ed25519-sk: 

This looks like there could be a key-specific PIN, except I have no way to enter it. Chrome also has no way to change the key PIN. If there is one.

While for my purposes a single PIN is OK, I can imagine users who would like to have separate PINs. So this is a low-priority feature requests, aka “nice to have”. :slight_smile:

Hey @Schluesselnitrat

just had a short glance at the Specs and did not find anything related to specific PINs for RKs. It could also be that the tooling is just eager to be precise about this security critical operation. Similar to your bank, which will ask you: “Confirm sending 500€ to Schluesselnitrat IBAN 123 312”, which does not necessarily mean I can choose a PIN for this recipient… mmh, medium level comparision :smiley: but I hope you get the point.

Nevertheless, if you find something in the specs, don’t hesitate to proof my guess wrong :wink:

Thanks for trying to look this up in the specs. Probably the SSH people aren’t sure about this, either. Let’s leave this as it is. If anybody finds a real requirement, they can start from here.