Class GetPinRetriesCommand

Namespace: Yubico.YubiKey.Fido2.Commands

Assembly: Yubico.YubiKey.dll

Gets the number of PIN retries remaining for FIDO2.

public class GetPinRetriesCommand : IYubiKeyCommand<GetPinRetriesResponse>

Inheritance: object

GetPinRetriesCommand

Implements: IYubiKeyCommand<GetPinRetriesResponse>

Remarks

When verifying a FIDO2 PIN, it is possible that the user will incorrectly type it in and it will fail. Fail enough times in a row, and the YubiKey may block further authentication attempts. Once this has happened, the YubiKey FIDO application must be reset - resulting in the loss of all FIDO credentials.

While this may seem catastrophic, it is actually a valuable protection mechanism against attackers guessing at the YubiKey's PIN. The range of possible PINs far exceeds the limited number of guesses available to the user. By locking out the FIDO application, an attacker is denied the opportunity of unlimited guessing.

For non-malicious cases, where a user simply mistyped their PIN, the user will likely never exhaust the number of allowed retries. This is because the retry counter is reset to the configured number of retries once a valid PIN has been entered. For example: If the retry counter started with 8 retries and you enter in 4 false guesses, the retry counter will be reset to 8 if you enter the correct PIN on the 5th retry.

The number of allowable retries is configurable, and may differ between YubiKeys. By default, it is set to 8 retries. This command will return the current number of remaining retries for this particular YubiKey. Use the value returned by this command's partner response class instead of making any assumptions as to the number of retries remaining.

Constructors

GetPinRetriesCommand()

Constructs a new instance of GetPinRetriesCommand.

public GetPinRetriesCommand()

Properties

Application

Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication: YubiKeyApplication.Otp, YubiKeyApplication.Piv, etc.

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu: A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public GetPinRetriesResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu: The ResponseApdu returned by the YubiKey.

Returns

GetPinRetriesResponse: The implementation of IYubiKeyResponse that parses and presents ths response APDU.

Table of Contents

Class GetPinRetriesCommand

Remarks

Constructors

GetPinRetriesCommand()

Properties

Application

Property Value

Methods

CreateCommandApdu()

Returns

Remarks

CreateResponseForApdu(ResponseApdu)

Parameters

Returns