PIN not required for authentication

I’m a newbie with hardware keys but I have successfully registered my Nitrokey (3C NFC) with a website (e.g. github) and used it successfully with Firefox on Desktop (Ubuntu) and also on Android 12 (unfortunately only USB-C seems to work).

I do the authentication like this: I enter my Email on the website, then the password, then I click “login” and the hardware key is requested from the browser and I then just need to “tap” it. The PIN is never requested. Is this a bug somewhere or expected?

The ttl is 7200 = 2hours and I waited a couple of days and used a private tab and restarted the phone but I’m still able to login without entering the PIN. Or has the PIN a different purpose or do I somehow need to activate the PIN in gpa?

(I’ve also sent this request to support. Feel free to remove it here if it is seen as duplicate.)

Not sure but the following topic could be related: NK3 secrets PIN not requested

Hey Peeet,
I’m newbie too but what I figured out so far is that the website you are registering too decides whether only the user presence is checked at login (touch the nk) or if you have to enter the pin additionally.
Try to register the nitrokey at you google account (if you have one) and it should ask for the pin.
If I wrong with this anybody please feel free to correct me :wink:

But in this context I would like to aks a second question:
If I do a nitropy fido2 list-credentials I am asked for the corresponding pin but only the credentials which require the pin at login are listed and counted down from 10 slots. I see no way so far to list the fido2 credentials for which only user presence is checked.
Is this correct or am I doing anythin wrong?
Is there another way to list the “other” credentials ?

I don’t want to use it for google, but I tried it for github (“Security keys”) where I have the same problem.

Do you know another website that requires you to enter the PIN? To me it would sound a bit strange when the website could decide how to protect my nitrokey.

(btw: I have two nitrokeys and both behave this way, so this does not seem to be a hardware issue.)

You are right: there is a userVerification parameter in the credentials.get() of the Web Authentication API:

This verification is initiated by the authenticator, which will request the user to provide an available factor (for example a PIN or a biometric input of some kind).

(the authenticator is the device)

And on github (on js-webauthn-form) after I cancelled I found they don’t use required:



"discouraged": The relying party does not want user verification, in the interests of making user interaction as smooth as possible.

Hm, this is ugly. This increases problems when loosing the key. Would be nice if the website would let me configure this behaviour.