User / Admin PIN's issues

I can use my user pin but if I wanna use my admin PIN it says to attemps left (only by the admin pin change menu).

If I go to e.g. configure → otp and passwords I cannot add a new otp but I am able to enter the admin pin (there stands also “Attempts left: =0”)

What can I do? I dont wanna reset my nitrokey.

Also, is it normal that you can enter your user pin but not your admin pin? I never entered any pin more than one time false.

/edit: If I try to reset with the nitrokey app I dont get the information “device blocked” or something like this, I only get “wrong pin. try again”.

Hi @Perflyst !

Unfortunately this mean, that you have used all your Admin PIN attempts. User and Admin each have a separate counter, hence such situation is possible. Having Admin PIN blocked results in a read-only access to the device via User PIN, and this cannot be changed without resetting it. Device is not blocked, only its write-access.

If that would help, OTP secrets are not protected via the smart card, so after the reset they should still be there. Password Safe though will be cleared, so please use User PIN to make its backup beforehand.

1 Like

Thanks for the huge explanation. But if the otp’s aren’t deleted, it is possible to bruteforce them, isn’t it?

You are welcome!
Yes, at the moment they are not protected in case of the device being stolen (hence the warning messages in the OTP configuration window). I think the reasoning here is that the OTP secrets could be easily regenerated and being only a 2nd factor, it will not be enough to login to service using it. Is that right @nitroalex ?

Perhaps this could be implemented later (if there would be interest) in a similar way as with Password Safe, but will make the special key double-pressing not working without unlocking the device first (and some other issues I might miss now).

That is right. Requiring a password for the OTP would be usually a 3rd factor and usually a 2nd factor is desired.

If that would help, OTP secrets are not protected via the smart card, so after the reset they should still be there. Password Safe though will be cleared, so please use User PIN to make its backup beforehand.

Looking at the firmware, the OTP slots should be cleared by the factory reset command (which I think makes sense) – see CcidLocalAccess.c, lines 903–942. Are there other ways to reset the device that do not reset the OTP slots?

That’s correct. It has to be executed by the User. I believe this the only one reset function.
What kind of state would like to achieve on the device / why would you need such reset function?

It’s totally fine for me! I think there is no reason to not reset the OTP slots if you reset the PINs. I just thought there might be other options because you suggested that a stick reset does not necessarily clear the slots.

Ah, I see. There are two kinds of reset here: the smartcard reset and the device reset. Both are responsible for clearing different things:

  • smartcard reset removes all GnuPG keys, personal information and data objects (DO’s) - this mean that both Password Safe and Encrypted/Hidden Volumes would be destroyed, since they depend on AES DO. OTP slots will remain as they were. It could be done via the CCID interface, e.g. using gpg or our reset script;
  • device factory reset - this overwrites all OTP/PWS slots saved in device’s internal memory, sets OTP flags to default and does the smartcard reset as well (see Storage firmware source code [1] [2]). This one could be executed via the HID interface only, e.g. using Nitrokey App.