The FIDO2 standard was aimed at supporting passwordless login. So the PIN was added to protect against someone stealing your YubiKey.
It is optional for websites to ask for the PIN. Most websites are using FIDO2 as two factor authentication, in addition to a password. So they don't ask for the PIN. However, I have a couple of websites that require a password and ask for the PIN.
Choosing a PIN should not invalidate any existing FIDO2 credentials. However, resetting the PIN will reset the FIDO2 module.
https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
So having to enter a pin is considered *passwordless*? (that's funny :-D, but I get it.).
*should not invalidate*: is that for sure? Yubico does not mention this scenario on their web page :-/.
> is that for sure?
Yes. I added a (FIDO) PIN to my Yubikey 5 NFC after I had registered and used it at numerous sites. The only change was that some sites began asking for the PIN.
PIN is typically shorter and less complex than password. In case of FIDO2 key the PIN is used to protect your secure hardware token, not your account. It is 2FA, something you have (Yubikey) plus something you know (PIN).
In some devices PIN can be replaced by fingerprint, pattern, or other biometrics, so yes it is considered passwordless
Yes I know. But the PIN according to the FIDO2 standard is basically allowed to be just exactly like any password with a lot lot of numbers, letters, symbols. That's why I said it's funny :-)
Well, nobody says it's PIN-less đ
Jk aside, the point is you never send your send your password to the remote server, that's why it's passwordless. Not that you never enter a password.
Yeah, it is funny, but it's optional, and it makes sense when you learn about it. From [https://developers.yubico.com/WebAuthn/WebAuthn\_Developer\_Guide/FAQ.html:](https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/FAQ.html:)
>Whatâs the difference between a PIN and password?
>
>
>
>As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, âWell, isnât that the same as needing to remember a password?â
>
>A PIN is actually different from a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication. Finally, the authenticator can limit how many PIN guesses can be made in a given time, or permanently block the PIN if too many incorrect attempts are made. YubiKey devices take the latter approach of blocking the PIN - and effectively destroying all private keys - after 8 incorrect attempts.
>
>Nevertheless, YubiKey devices do not constrain the PIN to a small number of digits; the FIDO2 PIN on a YubiKey can be any sequence of characters up to 256 bytes long.
But, if I understand correctly, once you have set a PIN, you can't remove it (only change it) without erasing the FIDO2 password (this seems to be the case at least on my Yubikey), right?
The FIDO2 standard was aimed at supporting passwordless login. So the PIN was added to protect against someone stealing your YubiKey. It is optional for websites to ask for the PIN. Most websites are using FIDO2 as two factor authentication, in addition to a password. So they don't ask for the PIN. However, I have a couple of websites that require a password and ask for the PIN. Choosing a PIN should not invalidate any existing FIDO2 credentials. However, resetting the PIN will reset the FIDO2 module. https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
So having to enter a pin is considered *passwordless*? (that's funny :-D, but I get it.). *should not invalidate*: is that for sure? Yubico does not mention this scenario on their web page :-/.
> is that for sure? Yes. I added a (FIDO) PIN to my Yubikey 5 NFC after I had registered and used it at numerous sites. The only change was that some sites began asking for the PIN.
PIN is typically shorter and less complex than password. In case of FIDO2 key the PIN is used to protect your secure hardware token, not your account. It is 2FA, something you have (Yubikey) plus something you know (PIN). In some devices PIN can be replaced by fingerprint, pattern, or other biometrics, so yes it is considered passwordless
Yes I know. But the PIN according to the FIDO2 standard is basically allowed to be just exactly like any password with a lot lot of numbers, letters, symbols. That's why I said it's funny :-)
Well, nobody says it's PIN-less đ Jk aside, the point is you never send your send your password to the remote server, that's why it's passwordless. Not that you never enter a password.
Yeah, it is funny, but it's optional, and it makes sense when you learn about it. From [https://developers.yubico.com/WebAuthn/WebAuthn\_Developer\_Guide/FAQ.html:](https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/FAQ.html:) >Whatâs the difference between a PIN and password? > > > >As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, âWell, isnât that the same as needing to remember a password?â > >A PIN is actually different from a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication. Finally, the authenticator can limit how many PIN guesses can be made in a given time, or permanently block the PIN if too many incorrect attempts are made. YubiKey devices take the latter approach of blocking the PIN - and effectively destroying all private keys - after 8 incorrect attempts. > >Nevertheless, YubiKey devices do not constrain the PIN to a small number of digits; the FIDO2 PIN on a YubiKey can be any sequence of characters up to 256 bytes long.
But, if I understand correctly, once you have set a PIN, you can't remove it (only change it) without erasing the FIDO2 password (this seems to be the case at least on my Yubikey), right?