Nitrokey FIDO2 PIN creating

Nitrokeys
1

How does one create a PIN for the new FIDO2 token?
If I select the corresponding setting in Chrome, nothing happens…

The Nitrokey app also doesn’t provide this feature.

Without a PIN this FIDO2 key is acting just like a U2F key and nothing more.

2

Chrome asked me to set a PIN when I tested this demo: https://www.passwordless.dev/usernameless#heroFoot

3

Chrome on Windows or which platform?
I tried with both Windows 10 and Linux and Chrome prompts for the key to be inserted but never detects it. The standard U2F flow works fine across browsers/platforms.

4

Nope, was on ubuntu. I was also able to change the pin in the chrome settings. Only thing that did not work was to show the stored account information (e.g. For usernameless login), this option just showed a message, stating that the key does not save account information.
BTW: after I set my pin I also get pin requests if user auth is only preferred.

5

Hi!

  • Nitrokey App does not manage Nitrokey FIDO2 at the moment. PIN setting is possible through Windows 10 settings menu, as well as Chrome settings (Settings → Privacy and Security → Manage security keys), as was mentioned in previous replies.
  • Nitrokey FIDO2 handles both FIDO U2F and FIDO2 requests. If the given service does not handle FIDO2 yet, the PIN will never be requested.
  • Even if the service is handling the FIDO2, PIN for the FIDO2 action still has to be requested on its side (called UV), so the browser would show the PIN request popup. Otherwise a standard signature will be used, based only on the user presence (UP in short), which is a touch button press in case of Nitrokey FIDO2 device. We have not added any custom code to block the PIN-less FIDO2 calls, as this would violate the FIDO2 specification. Additionally some browsers tend to use the FIDO U2F interface by default (e.g. Firefox seems to do so).

Could you provide please the test cases, so we could investigate them?

Resident keys are supported by Nitrokey FIDO2. We will look into it.

Edit:

6

I was able to read / use resident keys on windows. Does not work for me on ubuntu (both running chrome).
So probably a bug in chrome.

The resident Key was however created and stored using chrome on ubuntu…

1 Like
7

I have created a ticket to track RK-related issues with working services: nitrokey-fido2-firmware#30.

  1. Could you precise which site was working on Windows/Chrome, but not on Ubuntu/Chrome?
  2. Could you make a quick version check and post the values here as well?
  3. Just a sanity check - is the Ubuntu browser a Chrome, or a Chromium?
8

I would like to wake up this thread again.

I’m a new owner of a Nitrokey FIDO 2 which I updated to firmware 2.2.0 first of all (web update with Firefox portable 82).

Now the strange thing is this:

If I work with Windows 10 and Firefox 82 portable, a PIN window appears when using the key (webauthn devices) to enter my PIN, which I have previously set.

But if I log in via Linux Mint 19.3 and Firefox 82 for Linux Mint, no PIN request appears. It is sufficient to touch the key briefly.

Is this a security hole? PIN request only when using the stick under Win 10?

Ren

9

This behaviour is specific for the website you are logging on to. Is it Nextcloud? In this case, Nextcloud currently uses FIDO2 as single factor authentication but not as 2FA. This means, it is not necessarily stronger than a password.

10

Yes, it is Nextcloud. But when you “log in with a device” under Windows/Firefox you will be asked for a PIN, the same thing under Linux Mint/Firefox works completely without a PIN.
Is this really a normal behaviour?

It was also strange that I could only create the key in Nextcloud under Linux Mint/Firefox, not with Windows10/Firefox portable. This was probably due to the portable version of Firefox?

Ren

11

This behaviour is not perfect. It gives the impression that 2FA is used while instead 1FA is used. This is caused by Nextcloud’s verification (of the FIDO2 response) and nothing specific to Nitrokey FIDO2.

12

Okay, thanks. Well, I hope Nextcloud is working on it.

13

Hi!

This confusion comes from a couple of things:

  1. The need for the PIN is configured by the service, that is the service request from the browser to gather the PIN or not, which is written in the Javascript source of the web page. This by the standard can be required, preferred, or discouraged.
  2. In some cases Windows proactively asks for the PIN, even when it is not required.
  3. The FIDO U2F requests, which Firefox defaults to on Linux, are not PIN-protected.
  4. For the better UX experience, it is allowed to use common credentials database from both FIDO U2F and FIDO2 standards. If that would not be allowed, user would have to register on both interfaces each time, if access like in the mentioned case would be required.

For the best UX experience and according to the FIDO2 standard it would be ideal to ask given service to make the PIN requests required, or to ask them to make it configurable on their side. Potentially it could make the FIDO U2F devices not operating with the service though (as these do not support PIN).
Technically we could of course modify the Nitrokey FIDO2 to not allow PIN-less requests, but 1) it would make it FIDO2 specification-incompatible, and 2) that would make its use more confusing than needed.

More information:

14

Thank you very much for the explanations.

In any case, I now know that under Linux it does not make sense to use the stick with Nextcloud as FIDO 2 device AND as webauthn device (2FA) together. Because in this case a login would work, just knowing the username or the email address (because of the missing PIN request). Under Windows, however, this would be possible for reasons of convenience.

15

For completeness I want to add, that the service receives information whether user has provided the PIN or not, and this information is signed by the device’s key.