I am currently testing my NK3 Mini which was updated to the latest firmware.
Regarding the FIDO2 Pin ( I call it like that as I have to enter it for the fido2 test)
I did set a FIDO2 pin using chromium browser. This worked out and I need to use the --pin option when doing pynitro nk3 test.
First I tested the setup at TOKEN2 - FIDO2 Demo - WebAuthn Login test which worked fine.
However when using Firefox (102.11.0esr) I was not asked for the FIDO2 pin.
Next test was with webauthn.io resulting in problems:
Using Chromium works fine (register and authenticate), a FIDO2 key is saved on the Nitrokey (nitropy fido2 list-credentials)
Using Firefox to register and authenticate works fine but no key is saved to the Nitrokey.
Using Chromium to register and trying to authenticate in Firefox does not work leading to a crash, making all further operations in nitropy impossible (Critical error: …failed (CTAP error: 0x06 - CHANNEL_BUSY)
This seems more associated to Firefox than to the Nitrokey but I think when a pin was set up there should be no way around the pin by using another browser.
Second question:
What is the difference between the Fido2 pin and the one set using nitropy nk3 secrets set-pin?
Hey, sorry for the late reply! Maybe I can bring in a bit light here…
Regarding the FIDO2 Pin ( I call it like that as I have to enter it for the fido2 test)
I did set a FIDO2 pin using chromium browser. This worked out and I need to use the --pin option when > doing pynitro nk3 test.
Depending on what platform you are you can use our Nitropy utility, Chrome/Chromium, and on Windows the “Settings” application to set/change the FIDO2 PIN on the Nitrokey.
The mentioned Firefox version likely didn’t support CTAP2, or at least it wasn’t enabled by default. The feature was enabled by default with Firefox 114. See the release notes here.
Next test was with webauthn.io resulting in problems:
Using Chromium works fine (register and authenticate), a FIDO2 key is saved on the Nitrokey (nitropy fido2 list-credentials)
Using Firefox to register and authenticate works fine but no key is saved to the Nitrokey.
Using Chromium to register and trying to authenticate in Firefox does not work leading to a crash, making all further operations in nitropy impossible (Critical error: …failed (CTAP error: 0x06 - CHANNEL_BUSY)
This seems more associated to Firefox than to the Nitrokey but I think when a pin was set up there should be no way around the pin by using another browser.
This depends on what the website requests and what the browser supports. Assuming you have a browser with enabled CTAP2, the website can ask for user verification. There are three options: required, preferred, and discouraged. The website likely asked for preferred and then it silently failed, because it was not supported. This is simplified, the standard is complex. You can find some information here, and more online when you search with the right keywords.
Second question:
What is the difference between the Fido2 pin and the one set using nitropy nk3 secrets set-pin?
The FIDO2 PIN is for all operations regarding FIDO2 login, like the scenario you described above. The secrets PIN is for the password and OTP keystore on the Nitrokey.
