The FIDO2 protocol is an amalgamation of two standards: W3C WebAuthn (for the communication between the client and the relying party) and CTAP2 (for accessing the authenticator from the client). On a high level, the FIDO2 protocol comprises both the registration and the authentication process.
FIDO2 is an update of FIDO U2F and is defined in [RD3]. It takes into account PIN management, in addition to the new standardized protocols, WebAuthn [RD8] and CTAP2.
CSPN Approved Mode
The FIDO2 protocol can be used in two different CSPN modes of operation:
- FIDO2 with a PIN code set on the YubiKey 5 (see FIDO2 With PIN Code), or
- FIDO2 without a PIN code set on the YubiKey 5 (see FIDO2 Without PIN Code)
FIDO2 With PIN Code
If WebAuthn User Verification is set to ‘Required’ by the WebAuthn relying party when the user registers the YubiKey 5 as a FIDO2 device, it will prompt the user’s client to protect the FIDO2 credentials with a PIN code during the enrollment. Alternatively, the user may also use YubiKey Manager to set a PIN code which will protect the FIDO2 credentials. In both cases, the YubiKey 5 will require the user to enter a PIN code when using it for FIDO2 authentication.
As part of the registration process, the user must touch the YubiKey 5 sensor when the browser or application prompts for it. Furthermore the user must also touch the YubiKey 5 when the browser or application requests for it during the authentication process.
FIDO2 Without PIN Code
If WebAuthn User Verification is not enforced as recommended above, the YubiKey 5 must then be used as a second factor authentication device. To operate the YubiKey 5 in a CSPN approved mode under such a scenario, the user must first be identified with a first factor authentication scheme (e.g. username/password). The details for such a first factor authentication scheme go beyond the scope of this document however.
The YubiKey 5 will, by default, require the sensor to be touched for this configuration. As part of the registration process, the user must touch the YubiKey 5 sensor when the browser or application prompts for it. Furthermore, the user must also touch the YubiKey 5 when the browser or application requests for it during the authentication process.
FIDO2 With PIN Code
There are two ways to set the PIN code for the FIDO2 application on a YubiKey 5:
- The user can set the PIN code by using the tool YubiKey Manager
- The relying party (server application) can request the user’s client to set the PIN code during the WebAuthn registration
In addition to the PIN being set on the YubiKey, the touch sensor is required by default for FIDO2.
Set FIDO2 PIN Code with ykman
The YubiKey Manager may be used to set a PIN code for the FIDO2 credentials on the YubiKey 5. When a PIN code is set, all FIDO2 credentials will be protected by the same PIN code. In order to set the PIN code with YubiKey Manager, select the Applications from the menu and then the FIDO2 option. In the resulting GUI which appears, press the button “Set PIN”.
In the next popup which appears, the user is prompted to set the new PIN and to confirm this PIN for the FIDO2 application.
Set FIDO2 PIN Code From the Relying Party
The WebAuthn relying party (authentication server) can instruct a client to set the PIN code on an authenticator during the enrollment of the FIDO2 credentials.
A client, according to the WebAuthn/FIDO2 specifications, is any user device that supports WebAuthn/FIDO2. In practice, this is a hardware device (smartphone, tablet, laptop, etc), an operating system (Microsoft Windows, Apple MacOS, Apple iOS, Android, Linux, etc) or a web browser (Google Chrome, Apple Safari, Microsoft Edge, Mozilla Firefox, etc).
If the WebAuthn MakeCredentials parameter UserVerification is set to ‘Required’, this will prompt the client to set the PIN code on the YubiKey 5.
The GUI for setting the FIDO2 PIN code may differ between clients. The image below is an example of using Google Chrome with Windows 10 for setting the FIDO2 PIN on a YubiKey 5.
FIDO2 Without PIN Code
If the relying party has set the WebAuthn MakeCredentials parameter UserVerification to ‘Discouraged’, this will not trigger the client to set any FIDO2 PIN code on the YubiKey 5. Furthermore, if no FIDO2 PIN is set by using the YubiKey Manager, then there will be no PIN set to protect the FIDO2 credentials.
However, touch will still be required, by default, for using the FIDO2 credentials during WebAuthn authentication.
When the PIN code is disabled for FIDO2 on the YubiKey 5, the CSPN approved mode is achieved by using a first factor authentication protocol in conjunction with the YubiKey 5 configured for FIDO2 and touch.
To get in touch with Yubico Support, click here.