Open riedel opened 4 years ago
see also #349
I think you can only clear pin by using solo key reset command. And this will remove also all stored keys.
I think the reasoning why such an operation is not part of FIDO2 here is that for a resident key (not used as 2FA) you'd always want a PIN, otherwise the RK would just be a single factor (something you have, the key). So implementing something like this would be a weakening of the security model.
Even with the PIN enabled I can actually generate assertions on a RK that do not need the PIN.
Removing the PIN would need a PIN. There seems no more risk than changing the PIN to eg. 0000.
In my opinion would be great if you can remove your PIN, but it needs to know old PIN then.
Example.
solo key removepin your pin Are you sure that you want remove PIN? (Y/N) Y PIN removed successful!
We have to be standards-compliant here I'm afraid. I'll double check this.
OK :) I think we can do this!
The only possible downside is that clients (OS/browser) don't expect removed PIN, which may lead to some confusion when you use a key where the RP expects user verification. But given remove PIN
would only be possible via CLI, I think it's a better choice to enable "user freedom" here.
Thoughts?
I am OK with it as long as:
The same anti-hammering technique is used in the remove pin operation as the pin challenge operation (cannot have bad actor physically acquiring token and easily clearing PIN and setting new instead of entering it correctly for UV). Someone might be have a better reasoning for this angle?
User is warned that this might cause weird "unknown errors" in the case of visiting a previously registered UV requiring relying party. AFAIK nobody else supports this kind of operation, adding PIN is expected to be one way path. Obviously, this could result in bad UX.
It seems that one may only change but never remove a PIN. As some utils don't support PINs it would be quite useful (otherwise one would have to reset the whole key I guess)
Or did I miss something?