Unable to enter a PIN when using the YubiKey Bio [Windows 10]



Description


Under certain conditions when using the YubiKey Bio on a Windows 10 PC, the WebAuthn authentication process can be stuck at the login screen where the user is asked to enter their Security key PIN but is not presented with a field to enter the PIN, making it impossible to complete the authentication.

 

biopin1.jpeg




Conditions

The root cause of this issue is due to a bug in the Windows 10 "webauthn.dll" which all FIDO2 authentication traffic flows through. This bug appears to affect all versions of Windows 10. The conditions to trigger this bug are as follows:

 

  • The user has a YubiKey Bio with a PIN set, but NO fingerprints enrolled
  • The user is trying to authenticate to a website where "User Verification" is set to "Discouraged" (This is a setting from the Identity Provider)
  • The YubiKey Bio is set to always require UV (Default setting)

The issue is that the relying party is not required to perform the User Verification (which involves entering the PIN or using a fingerprint to verify that the owner of the YubiKey is present) however the YubiKey Bio is forcing User Verification to be required. As a result, the webauthn.dll should be prompting the user to enter a PIN. However, it seems to be confused by the key reported as a biometric key, and thus seems to assume that the user needs to touch the key in order to validate their fingerprint. This assumption is made because if a fingerprint is registered, then this issue does not occur. This issue also does not occur on other operating systems. This issue also doesn't occur on a YubiKey 5 Series.

 

Solutions/Workarounds

 

  1. The administrator of the website can configure the "User Verification" setting to be "Preferred" or "Required". This will bypass this bug, and allow the user to enter a PIN as expected, even when using a YubiKey Bio that does not have a fingerprint registered.

  2. The owner of the YubiKey Bio can register a fingerprint, either by using the Windows built-in tool found in the security settings screen, or by using the Yubico Authenticator application that is freely available from Yubico.com. They may also be able to use a web browser such as Google Chrome to register fingerprints by going to our  Get started with YubiKey Bio Series page.