Unable to enter a PIN when using the YubiKey Bio


When using the YubiKey Bio to authenticate to a FIDO2 website, you may encounter the following message, which does not allow you to enter a PIN:

 

biopin1.jpeg

 

The root cause of this issue is due to a bug in the windows 10 "webauthn.dll" which all FIDO2 authentication traffic flows through. This bug appears to affect all versions of Windows 10. The conditions to trigger this bug are as follows:

 

  • The user has a YubiKey Bio with a PIN set, but NO fingerprints enrolled
  • The user is trying to authenticate to a website where "User Verification" is set to "Discouraged" (This is a setting from the Identity Provider)
  • The YubiKey Bio is set to always require UV (Default setting)

The issue is that the relying party is not required to perform the User Verification (which involves entering the PIN or using a fingerprint to verify that the owner of the YubiKey is present) however the YubiKey Bio is forcing the User Verification to be required. As a result, the webauthn.dll should be prompting the user to enter a PIN. However, it seems to be confused by the key reported as a Biometric key, and thus seems to assume that the user needs to touch the key in order to validate their fingerprint. This assumption is made because if a fingerprint is registered, then this issue does not occur. This issue also does not occur on other operating systems. This issue also doesn't occur on a YubiKey 5.

 

There are two workarounds for this case:

 

  1. The administrator of the website can configure the "User Verification" setting to be "Preferred" or "Required". This will bypass this bug, and allow the user to enter a PIN as expected, even when using a YubiKey Bio that does not have a fingerprint registered
  2. The owner of the YubiKey Bio can register a fingerprint, either by using the Windows built-in tool found in the security settings screen, or by using the YubiKey Authenticator application that is freely available from Yubico.com. They may also be able to use a web browser such as Google Chrome to register fingerprints by going here.