Unable to list credentials and set FIDO2 PIN in CLI

My OnlyKey is in config mode (the LED is flashing red). I am starting the Python CLI:

First I want to set the FIDO2 PIN:

OnlyKey> set-pin

Please enter new pin:
Please confirm new pin:
no device found

What does the “no device found” mean here?

Next, I want to show / list FIDO2 credentials:

OnlyKey> credential info

PIN:

OnlyKey>

What am I doing wrong?

Still haven’t made any progress unfortunately.

I have verified with the demo at https://webauthn.io that authentication works, but I am unable to use any of the functions in the Python CLI related to FIDO2 (set-pin, change-pin, credential info, credential ls), see above.

Any pointers are welcome.

Same issue here. Not sure what is going on. I have setup a few things with FIDO2 and it doesn’t show anything.

I believe you wont be able to set the pin once it is configured initially though.

Thanks for confirming – I was wondering whether it’s just me.

How do you set the PIN during initial configuration? To my understanding, the FIDO2 PIN is unrelated to the PINs which are set up during initial configuration (i.e., primary and secondary profiles, and wiping). I can recall that there was an option to set up a FIDO2 PIN, and if it’s not possible to change it later, then I’d be wondering why there is an API for it through the Python CLI.

Hopefully we’ll receive a response from the developers to clarify this.

yeah you are probably on to something there. I assumed it was requesting the initial lock code from when it was setup.

@ZorgroZ There are several ways to set the PIN.

  1. This is set whenever you register your key at a site supporting FIDO2 for example - passwordless.dev
  2. This is set in Windows 10 by going to manage your security keys
  3. This is set manually with the OnlyKey CLI like this:
$ onlykey-cli set-pin
Please enter new pin: 
Please confirm new pin: 
Done. Please use new pin to verify key

Note: This pin is entered via your keyboard not on the OnlyKey, FIDO2 requires this.

Edit: Just saw that you said your device was in config mode. This is not required to set the FIDO2 pin, just set this pin with OnlyKey unlocked via keyboard.

Mine was not in config mode and gets the same no device found error

If using Linux you have the UDEV rule installed? Can you provide OS you are using and other details that would help reproduce issue?

I have tried both. Windows 10 gets “no device found” and Linux got a different error. I can try Linux again and update here.

Tested on Ubuntu 20.10 VM downloaded from osboxes.org, followed instructions here -OnlyKey Command-Line Utility | Docs

set-pin works as expected

I am also still getting “no device found” on Windows 10, whether in config mode or not (key unlocked obviously, i.e., LED green) when using the Python CLI. I also verified that the FIDO2 PIN is indeed not set / changed, so it’s effectively not working for me.

I was only able to set the FIDO2 PIN through Windows 10 settings (“Sign-in options”) as suggested by your item 2 above and in the other thread.

BTW, why are there two similar functions: set-pin and change-pin? (change-pin also doesn’t work for me, with similar output than set-pin.)

@t11 Are you able to also verify set-pin / change-pin functionality on Windows 10? Is there any info I can provide to diagnose / reproduce this?

On Windows 10, apps need elevated rights to access FIDO2 devices, just run command prompt or powershell as admin. You can also set, change PIN in Windows 10 Settings App without elevated rights.

Browsers use WinCrypt API so they don’t need elevated rights.

1 Like

Edit: @Extrawdw beat me to it:

I think I found the solution for Windows 10. I feel dumb for not thinking of it sooner. Run as Admin. That’s all. See the screenshots below, I run net file to show which shell is running with admin permissions.

Regular user:
image

Administrator:
image

Please don’t tell my boss that it took me this long to figure it out :sweat_smile:

Thanks @Extrawdw, this also works for me. For someone not intimately familiar with FIDO functionality on Windows 10, it’s really not obvious that admin rights are needed for just these few CLI commands (and not the others). It’s also not obvious that you don’t have to be in command mode for this. I suggest both should be mentioned in the documentation.

I know I tried Admin command prompt but i must have missed something along the way at the time. Thanks for the help. works now.

The newly released CLI here no longer requires running as admin to list credentials - Release v1.2.5 · trustcrypto/python-onlykey · GitHub

1 Like