I checked in Yubico Sample and when we want to register FIDO2 YubiKey (NFC), if before YubiKey have PIN, we must pass PIN when we try register new Yubikey. BUT when we authenticate (user its registred) we not must provide PIN for YubiKey, Yubico library success response AssertOnKeyAuthenticationResponse and we can authenticate. So Question is - why? I checkend webauthn on browser and we must ALWAYS provide PIN to YubiKey when authentication is present.
I checked in Yubico Sample and when we want to register FIDO2 YubiKey (NFC), if before YubiKey have PIN, we must pass PIN when we try register new Yubikey. BUT when we authenticate (user its registred) we not must provide PIN for YubiKey, Yubico library success response AssertOnKeyAuthenticationResponse and we can authenticate. So Question is - why? I checkend webauthn on browser and we must ALWAYS provide PIN to YubiKey when authentication is present.
Read that article https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs but it not help.