0

When I try to use my Yubico 5 NFC FIDO key to authenticate on any portal, Windows opens a Windows Security dialog asking for a PIN. I don't remember having created a PIN.

I can't find it when trying now, but there was an option for forgetting the PIN, directing to Settings > Account > Sign-in options. It has option to change the PIN, but it requires knowing current PIN.

I'm lost now. Windows doesn't let me use my FIDO device and doesn't let me change the pin.

Update: thanks to @John, I enabled Windows Hello PIN. With it, when authenticating on a portal that alrdy had the key added, Windows Security is asking for Hello PIN instead of tis key PIN, and I'm able to authenticate.

But Windows Hello is bypassing the physical touch on the key to allow its use, that's troubling because some software would be able to use it without physical authorization.

And when I try to add the key to a portal that doesn't have it, Windows Security turns back into asking the key pin and I'm unable to add it.

Based on these behaviors, I guess that Windows Security has some bug with FIDO or Yubikey 5 NFC. I can't assure I hadn't created this PIN, but I don't remember it.

Improve this question
3
  • 1
    Shouldn’t it be the pin to the device or do you have a biometric Yubico?
    – Ramhound
    Commented Nov 29, 2021 at 23:22
  • No, it's 5 NFC.
    – Hikari
    Commented Nov 29, 2021 at 23:25
  • Can you provide a equalivant sign-in option screenshot from your machine, similar to that of John’s screenshot?
    – Ramhound
    Commented Nov 30, 2021 at 13:16

2 Answers 2

Reset to default
2

Log in to Windows with your password.

Go to Settings, Accounts, Sign in Options.

Click on PIN and a sub window opens.

Click on Change.

That should (and does) work. I am assuming you can log into Windows with a password.

Change PIN

Improve this answer
7
  • Thanks. Different from the SS, I didn't have a Windows Hello PIN. Oddly, I added one, and now FIDO authentication asks me for it. When provided, I'm authenticated without needing to touch the key. It works, but that's not the behavior I want, I do want a physical action to allow my key to authenticate. I tried then to remove Windows Hello PIN, but now it asks again for the key PIN I have no idea what is. I added Windows Hello PIN again and it works again, but bypassing the touch.
    – Hikari
    Commented Nov 29, 2021 at 23:41
  • 1
    Can reset the FIDO Key? That may help.
    – anon
    Commented Nov 29, 2021 at 23:45
  • On the Security Key section, there's the option to change PIN - which I can't do because it requires current PIN - and reset the key. But it says to reset to factory settings. So I'd lose all authentication info and have trouble with portals I had alrdy added it.
    – Hikari
    Commented Nov 29, 2021 at 23:58
  • 1
    I do not know any way around that at this point. You would have to go to the portals, remove your credentials, and then add new ones.
    – anon
    Commented Nov 30, 2021 at 0:04
  • I don't understand why Windows is doing this. Looks like it's trying to bind Windows Hello to the key and use Hello to manage the key. Windows Hello should be to authenticate on the OS, not to manage portals authentication. It's so dumb that it doesn't let me change the PIN on a device that may be used for passwordless authentication, but when Windows Hello is enabled it's used instead.
    – Hikari
    Commented Nov 30, 2021 at 0:22
0

Windows 10 seems to be amazingly unhelpful here. As far as I can tell, the only way around the extra PIN requirement is to disable the FIDO2 on the key itself. This has some downsides, particularly that you can't use the key to log into Microsoft-- it will only be useful for third party logins.

If you're willing to put up with that, to disable FIDO2 you need the Yubikey Manager. It's is a separate app, available here: https://www.yubico.com/support/download/yubikey-manager/

Improve this answer
3
  • Explaining HOW to use this tool to solve the question that was asked would make this an answer. Right now, this is 2/3rds commentary, and 1/3rd suggestion, without an actual answer. Editing this to add the necessary "how to" steps is strongly recommended and would benefit you and others visiting this site with this question in the future.
    – music2myear
    Commented Oct 2, 2023 at 16:14
  • This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
    – music2myear
    Commented Oct 2, 2023 at 16:14
  • Although different to the question asked, this actually solved my problem whereby Windows kept asking for a pin when attempting to register a security key in apps like Discord, GitHub etc via FIDO U2F. Not FIDO2 passwordless, but a bog standard security key. I wish Windows was a bit more sensible to correctly negotiate the protocol.
    – ColinM
    Commented Feb 16 at 19:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .