Hi!
This confusion comes from a couple of things:
- The need for the PIN is configured by the service, that is the service request from the browser to gather the PIN or not, which is written in the Javascript source of the web page. This by the standard can be required, preferred, or discouraged.
- In some cases Windows proactively asks for the PIN, even when it is not required.
- The FIDO U2F requests, which Firefox defaults to on Linux, are not PIN-protected.
- For the better UX experience, it is allowed to use common credentials database from both FIDO U2F and FIDO2 standards. If that would not be allowed, user would have to register on both interfaces each time, if access like in the mentioned case would be required.
For the best UX experience and according to the FIDO2 standard it would be ideal to ask given service to make the PIN requests required, or to ask them to make it configurable on their side. Potentially it could make the FIDO U2F devices not operating with the service though (as these do not support PIN).
Technically we could of course modify the Nitrokey FIDO2 to not allow PIN-less requests, but 1) it would make it FIDO2 specification-incompatible, and 2) that would make its use more confusing than needed.
More information:
- Web Authentication: An API for accessing Public Key Credentials Level 1 (PIN requirement options described)
- Web Authentication: An API for accessing Public Key Credentials Level 1 (FIDO2 specification browser side)
- See your WebAuthn config in action (Webauthn playground)