Hello,
Using OnlyKey CLI v1.2.9 I’m unable to set the FIDO2 PIN :
onlykey-cli set-pin
Please enter new pin:
Please confirm new pin:
CTAP error: 0x30 - NOT_ALLOWED
Using firmware v2.1.2-prodc
Any hint ?
THX
After a reset this works but this is a no-go as all existing FIDO2 credentials are lost.
The thing is I did not set a pin previously. Could there be a default pin ?
There must have been a pin set, is it possible one of the sites registered requested to set a pin? The set-pin only works the first time setting a pin
$ onlykey-cli set-pin
Please enter new pin:
Please confirm new pin:
Done. Please use new pin to verify key
$ onlykey-cli set-pin
Please enter new pin:
Please confirm new pin:
CTAP error: 0x30 - NOT_ALLOWED
Could a website set the PIN directly ?
I did not even install the onlykey-cli before trying to set the pin.
Could a website set the PIN directly ?
The first time you set up a FIDO2 login at a website it will prompt you to set a pin.
So I may have created a PIN when doing tests long time ago without knowledge this pin would stay forever.
I bet I’m not the only one. Some big warning somewhere in the documentation may be useful then.
I guess there’s no possible way to reset the PIN without loosing the FIDO2 credentials ?
Thx.
To change your PIN:
$ onlykey-cli change-pin
Please enter old pin:
Please enter new pin:
Please confirm new pin:
Done. Please use new pin to verify key
I do not know the initial PIN…
Is it technicaly possible for a website to set the PIN without any approval on the OnlyKey by the user ?
I do not see any feedback needed on the OnlyKey once it is unlocked.
Is it technicaly possible for a website to set the PIN without any approval on the OnlyKey by the user ?
No, I am not aware of any way this would be possible
What is the expected flow for the inital creation of the PIN when starting from a web page ?
In the documentation, one must use the onlykey-cli to accheive this.
As I never used the CLI before I wonder how this IPN was set first.
THX
Weird enough to mention it : I also checked with oen of my solokeys (correct me if I’m wrong , this is the same implementation as OnlyKey for U2F). For this one also I never installed the CLI and discovered a unknown PIN is set.
The only common point I see is that both are rather old and came with a very old firmware that I upgraded. Is it possible that a firmware upgrade could interfere somehow and set a PIN ?
THX
I have not been able to replicate your issue here. There is no default PIN set, there are several ways to set a PIN but they all require typing the PIN and confirming.