SetMinPinLengthCommand Class
Namespace: Yubico.YubiKey.Fido2.Commands Assembly: Yubico.YubiKey.dllSet the minimum PIN length, and/or provide a list of relying party IDs that specify which relying parties can see the minimum PIN length, and/or specify whether the PIN must be changed before PIN verification can succeed.
public class SetMinPinLengthCommand : Object, IYubiKeyCommand<Fido2Response>
Implements
Remarks
The partner Response class is Fido2Response. This command does not return any data, it only returns "success" or "failure", and has some FIDO2-specific error information.
This command is valid only if the "setMinPINLength" option is present and
set to true
.
For any call to this command, it will perform any combination of one,
two, or three of the operations. Each operation is optional, including
setting a new minimum PIN length. For example, if you want to only set
the list of RP Ids, you can do so using this command with a null
newMinPinLength
and a null forceChangePin
.
The YubiKey's FIDO2 application is manufactured with a minimum PIN length. Users that want a different length can call this command. However, it is not possible to set the minimum PIN length to a value less than the current minimum. The only way to possibly set a shorter minimum PIN length is to reset the entire FIDO2 application on the given YubiKey.
The PIN length is measured in code points. See the User's Manual entry on the FIDO2 PIN for more information on PIN composition.
Note that the standard specifies that a PIN cannot be less than 4 Unicode characters and no more than 63 bytes when encoded as UTF-8. Hence, there are limits to the new minimum PIN length.
The list of RP IDs will specify that any RP on the list is allowed to see the minimum PIN length of a YubiKey. That will be visible only during the MakeCredential process. Generally, it is used so that an RP will refuse to provide a credential to an authenticator if the minimum PIN length is too low.
It is possible for a YubiKey to be manufactured with a pre-configured list of RP IDs. That list will never change, even after reset. If RP IDs are added using the SetMinPINLength command, they will be IDs in addition to the pre-configured list.
If RP IDs are added using this command, they will replace any RP IDs that had been added during a previous call to this command. Note that there is no way to get the current list.
If the minimum PIN length is set, and if the current PIN is smaller than
this value, then the YubiKey will require the user to change the PIN. It
will not verify the current PIN and any operation that requires
PIN verification will fail until the PIN is changed to a value that meets
the new requirement. For example, suppose the current minimum PIN length
is 4 and you have a PIN of length 6. You set the minimum PIN length to 7,
but do not set forceChangePin
(you pass in null for that arg). The
YubiKey will still require the user change the PIN.
If forceChangePin
is true, then the caller is requiring the user
to change the PIN, no matter what.
You can know if a PIN must be changed (either because the min PIN length
is now longer than the existing PIN or the forceChangePin
was
set), look at the ForcePinChange property
in the AuthenticatorInfo
.
Constructors
Name | Description |
---|---|
SetMinPinLengthCommand(Nullable<Int32>, IReadOnlyList<String>, Nullable<Boolean>, ReadOnlyMemory<Byte>, PinUvAuthProtocolBase) | Constructs a new instance of SetMinPinLengthCommand. |
Properties
Name | Description |
---|---|
Application | Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies. |
Methods
Name | Description |
---|---|
CreateCommandApdu() | Creates a well-formed CommandApdu to send to the YubiKey. |
CreateResponseForApdu(ResponseApdu) | Creates the corresponding IYubiKeyResponse implementation for the current command. |