Enhancement Request: Set PIN via switch

MichaelGrafnetter / webauthn-interop

Passkeys/FIDO2/WebAuthn .NET Library for Windows Desktop and CLI Applications

MIT License

16 stars 2 forks source link

Enhancement Request: Set PIN via switch #22

Open DoctorQuandary opened 4 days ago

DoctorQuandary commented 4 days ago

Is there anyway this could be enhanced to be able to set a PIN via switch? This could be helpful for bulk deployment of keys without having to manually type in each individual PIN.

Possible skipping of GUI process entirely would also be beneficial for this.

aseigler commented 3 days ago

This and setting forceChangePin.

Both should be doable, but there is no documented API (via webauthn.h) for either, which makes things a tad tricky.

As far as no UI at all goes, the only way to guarantee that is running something as admin which talks CTAP2 directly to the authenticator.

MichaelGrafnetter commented 3 days ago

One would need to perform some reverse engineering of webauthn.dll, which contains a lot of undocumented functions:

WebAuthNCtapChangeClientPin
WebAuthNCtapChangeClientPinForSelectedDevice
WebAuthNCtapManageChangePin
WebAuthNCtapManageAuthenticatePin
WebAuthNCtapManageSetMinPinLength
WebAuthNCtapManageSetPin
WebAuthNCtapSetClientPin

Another approach would be to use Yubico's libfido2. But you definitely do not want to implement this capability from scratch.

DoctorQuandary commented 3 days ago

Using this guide https://janbakker.tech/register-yubikeys-on-behalf-of-your-users-with-microsoft-entra-id-fido2-provisioning-apis/ I can confirm it is possible to programmatically set a randomized PIN. This doesn't eliminate the GUI interaction. Unfortunately this library is written in python, and therefor a bit cumbersome to pass off to others.