0

When I try to use my Yubico 5 NFC FIDO key to authenticate on any portal, Windows opens a Windows Security dialog asking for a PIN. I don't remember having created a PIN.

I can't find it when trying now, but there was an option for forgetting the PIN, directing to Settings > Account > Sign-in options. It has option to change the PIN, but it requires knowing current PIN.

I'm lost now. Windows doesn't let me use my FIDO device and doesn't let me change the pin.

Update: thanks to @John, I enabled Windows Hello PIN. With it, when authenticating on a portal that alrdy had the key added, Windows Security is asking for Hello PIN instead of tis key PIN, and I'm able to authenticate.

But Windows Hello is bypassing the physical touch on the key to allow its use, that's troubling because some software would be able to use it without physical authorization.

And when I try to add the key to a portal that doesn't have it, Windows Security turns back into asking the key pin and I'm unable to add it.

Based on these behaviors, I guess that Windows Security has some bug with FIDO or Yubikey 5 NFC. I can't assure I hadn't created this PIN, but I don't remember it.

Hikari
  • 307
  • 7
  • 25

1 Answers1

2

Log in to Windows with your password.

Go to Settings, Accounts, Sign in Options.

Click on PIN and a sub window opens.

Click on Change.

That should (and does) work. I am assuming you can log into Windows with a password.

Change PIN

John
  • 46,167
  • 4
  • 33
  • 54
  • Thanks. Different from the SS, I didn't have a Windows Hello PIN. Oddly, I added one, and now FIDO authentication asks me for it. When provided, I'm authenticated without needing to touch the key. It works, but that's not the behavior I want, I do want a physical action to allow my key to authenticate. I tried then to remove Windows Hello PIN, but now it asks again for the key PIN I have no idea what is. I added Windows Hello PIN again and it works again, but bypassing the touch. – Hikari Nov 29 '21 at 23:41
  • 1
    Can reset the FIDO Key? That may help. – John Nov 29 '21 at 23:45
  • On the Security Key section, there's the option to change PIN - which I can't do because it requires current PIN - and reset the key. But it says to reset to factory settings. So I'd lose all authentication info and have trouble with portals I had alrdy added it. – Hikari Nov 29 '21 at 23:58
  • 1
    I do not know any way around that at this point. You would have to go to the portals, remove your credentials, and then add new ones. – John Nov 30 '21 at 00:04
  • I don't understand why Windows is doing this. Looks like it's trying to bind Windows Hello to the key and use Hello to manage the key. Windows Hello should be to authenticate on the OS, not to manage portals authentication. It's so dumb that it doesn't let me change the PIN on a device that may be used for passwordless authentication, but when Windows Hello is enabled it's used instead. – Hikari Nov 30 '21 at 00:22
  • I am not entirely sure it is Windows. I think you created a PIN on the device without first creating one in Windows and so had to go back and fix it. The outcome is you have to redo portal credentials. – John Nov 30 '21 at 00:31
  • The portal credentials should not have to be setup again, as those are not internal to Windows, only what is stored with the Credential Manager within Windows. – Ramhound Nov 30 '21 at 13:15