robin-nitrokey
commented
1 year ago I’m not quite sure why the PIN is required at all as we set uv to discouraged. Looking at the source code, these lines in the fido2 library trigger the PIN verification:
elif mc and uv_configured and not self.info.options.get("makeCredUvNotRqd"):
return Truehttps://github.com/Yubico/python-fido2/blob/1.1.1/fido2/client.py#L491-L492
This effectively means that the uv value is ignored for makeCredential unless the makeCredUvNotRqd option is set. The relevant info in the FIDO2 spec is:
Note: For backwards compatibility, platforms must be aware that FIDO_2_0 (aka CTAP2.0) authenticators always require some form of user verification for authenticatorMakeCredential operations. If a platform attempts to create a non-discoverable credential on a CTAP2.0 authenticator without including the "uv" option key or the pinUvAuthToken parameter that authenticator will return an error. In contrast, a FIDO_2_1 (aka CTAP2.1) authenticator with the makeCredUvNotRqd option ID (set to true) in the authenticatorGetInfo response structure, will allow creation of non-discoverable credentials without requiring some form of user verification.
As far as I see, the Nitrokey 3 does not set this option. So we could probably fix this problem at the root and remove the PIN requirement if we add this option to fido-authenticator.
If the device has a FIDO2 PIN but the user did not specify the PIN on the command line,
nitropyshould fail early and not show a touch prompt.See also: https://github.com/Nitrokey/nitrokey-3-firmware/issues/259