Chrome signs it without asking PIN

[unoukujou]

On iOS safari, log in asks me for my yubikey PIN.

On android chrome, I log in to that same account with the same yubikey, only it doesn't ask for my pin?

So what's going on? If I lose my yubikey, someone who finds it can bypass the PIN by just using chrome on android?

How can I make sure my yubikey never authenticates without the pin?

[MasterKale]

userVerification defaults to "preferred" on webauthn.io, see Advanced Settings dropdown:

This leaves the door open for OS's and browsers to make decisions about the user's experience - in some cases user verification will get skipped because the RP has signaled that it is okay with this happening.

To avoid this behavior, RP's can mark userVerification as "required". The user will more consistently get prompted to e.g. provide security key PIN.

As a security key user, the alwaysuv CTAP2.1 setting gives you agency to require PIN entry regardless of the RP's settings. Some security key vendors like Yubico offer tools like their Yubico Authenticator desktop app to help configure settings like alwaysuv on the security key itself.

[unoukujou]

As a security key user, the alwaysuv CTAP2.1 setting gives you agency to require PIN entry regardless of the RP's settings. Some security key vendors like Yubico offer tools like their Yubico Authenticator desktop app to help configure settings like alwaysuv on the security key itself.

Well thank goodness for that. I'll look into it. I find it quite strange that this is even normal. If I set a pin, I don't need anything coming out of that key without the pin. Worst part is, if I only tested it with Safari, I would have gone on thinking I have my key locked down. Who knew I could just use a different browser and bypass the pin. Really doesn't make sense but I'm glad there is a setting to fix that. Thanks for the info.