brynwhyman
commented
4 years ago Note, Yubico has provided this recommendation in a document sent directly to the module maintainers.
Open brynwhyman opened 4 years ago
brynwhyman
commented
4 years ago Note, Yubico has provided this recommendation in a document sent directly to the module maintainers.
robbieaverill
commented
4 years ago Good find. Maybe it can be disabled by default but configurable.
Overview
We've had some reports of operating systems requiring a PIN to be entered before a Yubikey can be used for authentication. Any subsequent use of the Yubikey then appears to force a PIN before use.
Reading some documentation, this appears to be defined by a feature called user verification (UV) - something only applicable to FIDO2 and WebAuthn.
Yubico recommend explicitly enabling or disabling user verification to avoid unintended, or unexpected user interaction: "For second factor flows, we recommended to set UV to
discouragedto prevent a PIN prompt when using a YubiKey for authentication."Expected outcome
discouragedby default.yamldiscouraged; and when a Developer might want to change this.When might a Developer want to change this? From Yubico:
the reason we say it should be discouraged when used in 2FA is because the user has already provided username + password and thus an additional PIN will be a very clunky UX. The PIN should be prompted for only in a FIDO2 usernameless/passwordless flow for example, because then it will itself act as the 2F in addition to the user having possession of the YubiKey itself.Notes
See spec: https://www.w3.org/TR/webauthn/#userVerificationRequirement
Yubico summary: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html which outlines the broad scenarios that this could kick off: "User verification can take various forms, such as password, PIN, fingerprint, public key credential, etc."