Admin troubleshooting PIN support for FIDO2 WebAuthn

Intended audience: Administrators

Applies to the Identity Platform release 21.04

Use this topic to learn about PIN support for FIDO2 WebAuthn. This relates to the administrative setting to require user verification (PIN) during FIDO2 device registration and authentication.

The goal is to help you troubleshoot any issues where end users cannot register their FIDO2 device or authenticate. This might be due to the admin setting of enforce PIN, or an incompatible combination of a browser and operating system for the enforce PIN setting.

Note

FIDO2 authenticators could be known as external security keys or built into devices like phones and laptops. In the Identity Platform UI, the term device is interchangeble to mean either device or security key.

To learn more about the FIDO2 WebAuthn user experience, and under what conditions certain error and warning messages could occur, see Admin troubleshooting FIDO2 WebAuthn error and warning messages.

Identity Platform configurations and FIDO2 device types

Identity Platform deployment type: Hybrid

Global MFA setting for FIDO2 (WebAuthn): Turn on (enable) setting to require user verification (PIN) for FIDO2 authenticators during device registration and authentication

70487365.png

Supported security keys: YubiKey 5 Series or later

Unsupported security keys:

  • YubiKey 4 Series

  • YubiKey Legacy

  • YubiKey FIPS Series

  • YubiKey HSM Series

  • Titan device

Android mobile device

The Enforce PIN setting for device registration and authentication is not supported on Android mobile devices.

To learn more about PIN support for YubiKeys, see their article: YubiKey - operating system and web browser support for FIDO2.

iOS mobile device

The Enforce PIN setting for device registration and authentication is not supported on iOS mobile devices.

To learn more about PIN support for YubiKeys, see their article: YubiKey - operating system and web browser support for FIDO2.

The following table describes the end user experience with the Enforce PIN setting on Windows 10 operating system (desktop, laptop, and server) with certain browsers.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

On

On

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

Firefox

On

On

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

Microsoft Edge

On

On

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

On

Off

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: PIN request is not sent to user during authentication. User can authenticate.

Firefox

On

Off

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: PIN request is not sent to user during authentication. User can authenticate.

Microsoft Edge

On

Off

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: PIN request is not sent to user during authentication. User can authenticate.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

Off

On

Yes

If the device PIN is already set through the YubiKey Manager:

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

Firefox

Off

On

No

If the device PIN is already set through the YubiKey Manager:

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

Microsoft Edge

Off

On

Yes

If the device PIN is already set through the YubiKey Manager:

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

The following table describes the end user experience with the Enforce PIN setting on Mac OS version 10.x operating system (desktop, laptop, and server) with certain browsers.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

On

On

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

Firefox

On

On

No

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Apple Safari (up to 13.1.2)

On

On

No

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Apple Safari 14

On

On

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

On

Off

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: PIN request is not sent to user during authentication. User can authenticate.

Firefox

On

Off

No

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Apple Safari (up to 13.1.2)

On

Off

No

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Apple Safari 14

On

Off

Yes

If the device PIN is already set through the YubiKey Manager:

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Browser

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

Off

On

Yes

If the device PIN is already set through the YubiKey Manager:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

Firefox

Off

On

No

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate. This use case requires user to re-register their device.

Apple Safari (up to 13.1.2)

Off

On

No

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Apple Safari 14

Off

On

Yes

If the device PIN is already set through the YubiKey Manager:

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

The following table describes the end user experience with the Enforce PIN setting on Linux operating system (desktop, laptop, and server) with certain browsers.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

On

On

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: Prompts user to provide PIN.

Firefox

On

On

No

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

On

Off

Yes

  • Registration: Prompts user to provide PIN.

  • Authentication: PIN request is not sent to user during authentication. User can authenticate.

Firefox

On

Off

No

  • Registration: Browser and OS combination is not supported. User cannot register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Browser

Enforce PIN setting during device registration

Enforce PIN setting during authentication

Enforce PIN supported? (browser and OS)

Comments

Chrome

Off

On

Yes

If the device PIN is already set through the YubiKey Manager:

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: Prompts user to provide PIN.

If the device PIN is NOT set:

  • Registration: PIN request is not sent to user. User can register device. This use case requires user to re-register their device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.

Firefox

Off

On

No

  • Registration: PIN request is not sent to user. User can register device.

  • Authentication: Browser and OS combination is not supported. User cannot authenticate.