Use of a security key also requires a PIN?

jmjmjmjm
edited January 8 in Memberships

As I was going through setting up my 2 Yubikeys as a second factor of authentication, right near the end ie after I touched the key I was prompted to set up a PIN. I have set up these same keys for other sign ins eg gmail and I have never been asked to create a PIN i.e. rather just touching the key and I am in. What's up with the ask to make a PIN when setting up a Yubikey for 1Password?

This "behaviour" is not described here:

https://support.1password.com/security-key/


1Password Version: Not Provided
Extension Version: 1170
OS Version: WINDOWS 10
Sync Type: Not Provided

«1

Comments

  • kaitlynkaitlyn

    Team Member

    Hi there @jmjm! Thank you for posting a screenshot. The request looks like it's coming from Chrome rather than 1Password. I set up my YubiKey with 1Password a while back, but I don't recall ever seeing that prompt or being asked to create a PIN. After researching a bit, I did find a setting in Chrome that allows me to create a PIN for my security key.

    Does that sound like what may be happening?

  • jmjmjmjm
    edited January 8

    @kaitlyn Hello. Yes as shown in the screenshot, this request is coming from Chrome. But I never altered any settings in Chrome as this prompt never arose when I set up these Yubikeys for my gmail account. (And as might be expected I do not want to have to set up a PIN).

  • kaitlynkaitlyn

    Team Member
    edited January 8

    @jmjm – If you open your Chrome settings and search for "security key," you should see an option to manage your security key.

    Are you given the option to dismiss creating a PIN and sign into your 1Password account without Chrome being involved? You should still need to touch your YubiKey as long as it's set up with 1Password.

  • jmjmjmjm
    edited January 8

    Are you given the option to dismiss creating a PIN and sign into your 1Password account without Chrome being involved.

    No I am not.

    (I initiated this install of the Yubikeys for 1P by signing into 1password.com and going into my profile, more actions etc. Is that right?)

  • kaitlynkaitlyn

    Team Member

    @jmjm – That's exactly right. At what point did the PIN prompt appear? I'm going to re-set my own YubiKey up with my 1Password account to see if I get the same prompt.

  • jmjmjmjm
    edited January 8

    At what point did the PIN prompt appear?

    At the very end ie right after I touched the key.

    I'm going to re-set my own YubiKey up with my 1Password account to see if I get the same prompt.

    Thanks for that @kaitlyn

  • kaitlynkaitlyn

    Team Member

    Alright, @jmjm. Right after touching the key (number 7 in these instructions), here's the screen I got immediately.

    That said, I haven't set my YubiKey up with Chrome. I'll play around with it and see what happens once I do set mine up with Chrome, though. I'll keep you posted.

  • jmjmjmjm
    edited January 9

    That said, I haven't set my YubiKey up with Chrome

    I am not sure what that means.

    (I have only followed the clear instructions as shown in the 1P support document/video).

  • kaitlynkaitlyn

    Team Member

    @jmjm – You mentioned that you set your YubiKey up with your Google account. That's what I mean by that. I hadn't set up my YubiKey with Google yet, but even after setting it up with Google, I still wasn't asked to create a PIN at all.

  • jmjmjmjm
    edited January 9

    you set your YubiKey up with your Google account. That's what I mean by that.

    Oh ok.

    But when I did it for gmail I wasn't asked for a PIN; only with 1P.

    (Thanks for your continuing efforts...it is bugging me)

  • kaitlynkaitlyn

    Team Member

    @jmjm – No worries at all! I'm happy to help in any way I can. I wonder if you'd be able to reach out to Google to ask why they'd be requesting you create a PIN, though. Since it's not coming from 1Password, it's hard for me to tell the reasoning behind it.

  • Yup. I will post in the google forums.

  • kaitlynkaitlyn

    Team Member

    @jmjm – Sweet! I'm curious about it myself, so feel free to pick our conversation back up once you hear from them. :)

  • Hi there, as someone who's a massive U2F/webauthn nerd, I can jump in and explain.

    Newer Yubikeys now support the full webauthn (fido2) flow, which includes setting a pin to unlock authentication for full webauthn supported accounts. Microsoft now supports this with a webauthn only login, but Google doesn't. It appears that Agilebits has used the full webauthn spec for setting it up on the website, and now that Windows 10 1909 supports it fully, it handles the pin creation.

    That pin is stored completely locally, and is used to unlock the hardware token and is not sent to anyone. That pin is reused along all requesting services that request a FIDO2 unlock with pin, so for example if you were to add this Yubikey to a Microsoft account, it would ask you for that pin you've created, which again is not sent to Microsoft, but instead sent locally to your Yubikey to unlock.

    https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/FAQ.html

  • @kaitlyn, looks like this might be handy for you guys to take a look at: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html

    User verification is not recommended for 2FA because the user will have already entered a shared secret (password) sent to the server over the network

    Given that there's already a password and a secret key being "sent to the server over the network" (replace that with SRP), it may not make sense for the Yubikey to actually need another pin that could be forgotten.

    DISCOURAGED: This value indicates that the RP does not want user verification employed during the operation (for example, to minimize disruption to the user interaction flow).

  • Hi there, as someone who's a massive U2F/webauthn nerd, I can jump in and explain.

    @plttn, as someone who is NOT a "U2F/webauthn nerd" I am so grateful that you saw my thread and took time to respond! I was losing sleep last night ;).

    Anyways while I have you on "on the line" I hope I can ask you some follow-ups:

    (The Yubikeys in question are the 5 NFC):

    • So is what I am seeing re the prompting to setup a PIN to be expected given the type of key I have? And @kaitlyn isn't seeing similarly on the same site i.e. 1Password.com as her's is a key which doesn't support (fido2)(even though the site does?). And wouldn't it be advised that 1Password provide documentation for this situation ie the one I have come across?
    • If I am correct in the first bullet then I am surprised, searching on this site and even more broadly that I see almost no reference to this "phenomenon"...shouldn't lots of users being experiencing similarly ie some sites asking for a PIN others not?
    • So with 2FA enabled signing into a full webauthn (fido2) site like Microsoft and apparently 1Password.com, on an "untrusted machine requires the physical key and a PIN...so is that like basically 3FA (or have I lost count and is it more?)
    • And this PIN you say will be the only PIN across all such sites fully supporting fido2?

    Given that there's already a password and a secret key being "sent to the server over the network" it may not make sense for the Yubikey to actually need another pin that could be forgotten.

    @plttn, to whom is the above comment directed to...1Password devs? Just to confirm, I have no choice in the matter if I am to enable my 5 NFC Yubikeys...right?

    Just curious @plttn have you setup up a physical key for this site? How long is your PIN? :).

    Anyways thanks so much for the posts.

    I look forward to hearing your reply.

  • plttnplttn
    edited January 9

    @jmjm

    So is what I am seeing re the prompting to setup a PIN to be expected given the type of key I have? And @kaitlyn isn't seeing similarly on the same site i.e. 1Password.com as her's is a key which doesn't support (fido2)(even though the site does?). And wouldn't it be advised that 1Password provide documentation for this situation ie the one I have come across?

    Yes, that's correct. Right now only the blue webauthn only Yubikey or the Yubikey 5 series supports FIDO2/webauthn (which is showing this PIN prompt you're seeing).

    If I am correct in the first bullet then I am surprised, searching on this site and even more broadly that I see almost no reference to this "phenomenon"...shouldn't lots of users being experiencing similarly ie some sites asking for a PIN others not?

    There's very few sites that actually have completely enabled full webauthn, and when I enrolled my Yubikey 5 in October of 2019, it was not requiring a PIN as far as I'm aware.

    So with 2FA enabled signing into a full webauthn (fido2) site like Microsoft and apparently 1Password.com, on an "untrusted machine requires the physical key and a PIN...so is that like basically 3FA (or have I lost count and is it more?)

    The reason Microsoft requests the PIN on supported authenticators is that you can login completely password-less on a MS account: https://www.yubico.com/2018/11/password-less-login-with-the-yubikey-5-comes-to-microsoft-accounts/

    And this PIN you say will be the only PIN across all such sites fully supporting fido2?

    If a Relying Party (the online site) requests not just User Presence (the tapping of the gold disk), but User Verification (entering the PIN), yes, that PIN will be the same for all Relying Parties that request User Verification.

    @plttn, to whom is the above comment directed to...1Password devs? Just to confirm, I have no choice in the matter if I am to enable my 5 NFC Yubikeys...right?

    Yes, that was directed at 1Password devs.

    Just curious @plttn have you setup up a physical key for this site? How long is your PIN? :).

    My Yubikey 5 managed to sneak in prior to the change from U2F to webauthn on 1Password's side of things, so it is not actually using a PIN at the moment. My PIN which i created for my MS account is only 6 characters I believe.

  • FWIW: just removed my Yubikey 5 and attempted to reenroll it, and it did prompt for a PIN, which is the behavior you're seeing.

  • Interesting. I had a PIN set for my MS account, and web successfully prompted for my PIN (which I had forgotten). I used yubikey manager to wipe my PIN, and at least on Mac, Chrome did not prompt to enter a PIN.

    Let me go ahead and try again on a Windows device which has full native Webauthn support which may result in different FIDO2 behavior.

  • plttnplttn
    edited January 9

    Yup. Using Windows 10 >=1909 will cause Windows' native webauthn prompt to set a PIN, and then will be used on Windows. Interestingly enough, me using that same Yubikey to authenticate again on my macOS device in Chrome didn't require the PIN, but Chrome was able to detect the PIN if I deleted that Yubikey and readded it on macOS.

  • The reason Microsoft requests the PIN on supported authenticators is that you can login completely password-less on a MS account

    So this is a reason why say 1Password.com shouldn't require the PIN as one requires a pw as a first step to signing in.

  • So looping back around to your question on why @kaitlyn didn't see the PIN prompt, there's now a couple potential reasons:

    1. Her Yubikey is not a FIDO2/WebAuthn supporting key, so she would have never seen it.
    2. Enrolling a FIDO2 key on macOS (unclear which OS she's using) does not prompt for a PIN for some reason.

    To clarify that message shown at the top, the Relying Party asks the browser to handle WebAuthn, and on Windows with native WebAuthn, Chrome asks the OS to handle it natively rather than using it's built in WebAuthn handler, which is what causes "this request comes from Chrome".

  • jmjmjmjm
    edited January 9

    @plttn , given your simple experiments that you have described in your most recent 2 or 3 posts in this thread it kind of seems like the "wild west" under the hood re authentiication and physical keys. (My nightmare is setting up a key on some site or even using the key on a sign in that has previously been "vetted" and having my PIN rejected :(. )

  • question on why @kaitlyn didn't see the PIN prompt, there's now a couple potential reasons:

    I eagerly await @kaitlyn 's reply ;).

  • plttnplttn
    edited January 9

    To clarify, there at most will be 1 PIN for a key, and that PIN is stored solely on the key, and you typing in the PIN is what permits the key to do the necessary cryptographic operations to prove that it's the same key that was previously registered to a Relying Party, and that the same PIN was entered.

    I really can't explain the odd behavior between macOS and Windows WebAuthn when it comes to 1Password (as I'm not the person(s) who implemented it), but now there might be enough for this behavior to be chased down by the devs.

  • Microsoft now supports this with a webauthn only login, but Google doesn't.

    Given your interest in such things @plttn do "we" know why Google doesnt and when they might?

  • there at most will be 1 PIN for a key, and that PIN is stored solely on the key

    So this single "unique" PIN is registered the first time one is prompted to choose it i.e. for me when I now go and retry setting up the key for 1Password.com?

  • In any event @plttn again I thank you for your time and patience. I for sure have learned lots...maybe others have too.

  • @jmjm the cynical guess is that Google has a lot less control over their entire use ecosystem than Microsoft does. As evidenced by the unexpected behavior on Mac, it's a little trickier to debug. Someone going full passwordless on an MS account is far more likely to be on the Windows ecosystem.

    Google's answer to full FIDO is more along the lines of using the Advanced Protection Program (which requires multiple security keys, allows only trusted apps to connect with your Google account, and making account recovery take significantly longer).

  • @jmjm

    So this single "unique" PIN is registered the first time one is prompted to choose it i.e. for me when I now go and retry setting up the key for 1Password.com?

    If you saved a PIN during setup on 1Password, then yes, that PIN will be the PIN for any other Relying Party that wants User Verification (so a Microsoft account for example).

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file