Admin troubleshooting PIN support for FIDO2 WebAuthn

Intended audience: Administrators

Applies to the Identity Platform release 21.04 or later

Use this topic to learn about PIN support for FIDO2 WebAuthn. This relates to the administrative setting to require user verification (PIN) during FIDO2 device registration and authentication.

The goal is to help you troubleshoot any issues where end users cannot register their FIDO2 device or authenticate. This might be due to the admin setting of enforce PIN, or an incompatible combination of a browser and operating system for the enforce PIN setting.

Note

FIDO2 authenticators could be known as external security keys or built into devices like phones and laptops. In the Identity Platform UI, the term device is interchangeable to mean either device or security key.

To learn more about the FIDO2 WebAuthn user experience, and under what conditions certain error and warning messages could occur, see Admin troubleshooting FIDO2 WebAuthn error and warning messages.

Identity Platform configurations and FIDO2 device types

Identity Platform deployment type: Hybrid

Global MFA setting for FIDO2 (WebAuthn): Turn on (enable) setting to require user verification (PIN) for FIDO2 authenticators during device registration and authentication

Supported security keys: YubiKey 5 Series or later

Unsupported security keys:

YubiKey 4 Series
YubiKey Legacy
YubiKey FIPS Series
YubiKey HSM Series
Titan device

Android mobile device

The Enforce PIN setting for device registration and authentication is not supported on Android mobile devices.

To learn more about PIN support for YubiKeys, see their article: YubiKey - operating system and web browser support for FIDO2.

iOS mobile device

The Enforce PIN setting for device registration and authentication is not supported on iOS mobile devices.

To learn more about PIN support for YubiKeys, see their article: YubiKey - operating system and web browser support for FIDO2.

Windows 10

The following table describes the end user experience with the Enforce PIN setting on Windows 10 operating system (desktop, laptop, and server) with certain browsers.

Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	On	On	Yes	Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN.
Firefox	On	On	Yes	Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN.
Microsoft Edge	On	On	Yes	Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN.
Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	On	Off	Yes	Registration: Prompts user to provide PIN. Authentication: PIN request is not sent to user during authentication. User can authenticate.
Firefox	On	Off	Yes	Registration: Prompts user to provide PIN. Authentication: PIN request is not sent to user during authentication. User can authenticate.
Microsoft Edge	On	Off	Yes	Registration: Prompts user to provide PIN. Authentication: PIN request is not sent to user during authentication. User can authenticate.
Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	Off	On	Yes	If the device PIN is already set through the YubiKey Manager: Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: PIN request is not sent to user. User can register device. Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.
Firefox	Off	On	No	If the device PIN is already set through the YubiKey Manager: Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: PIN request is not sent to user. User can register device. Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.
Microsoft Edge	Off	On	Yes	If the device PIN is already set through the YubiKey Manager: Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: PIN request is not sent to user. User can register device. Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

Mac OS version 10.x

The following table describes the end user experience with the Enforce PIN setting on Mac OS version 10.x operating system (desktop, laptop, and server) with certain browsers.

Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	On	On	Yes	Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN.
Firefox	On	On	No	Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Apple Safari (up to 13.1.2)	On	On	No	Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Apple Safari 14	On	On	Yes	Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN.
Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	On	Off	Yes	Registration: Prompts user to provide PIN. Authentication: PIN request is not sent to user during authentication. User can authenticate.
Firefox	On	Off	No	Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Apple Safari (up to 13.1.2)	On	Off	No	Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Apple Safari 14	On	Off	Yes	If the device PIN is already set through the YubiKey Manager: Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Browser	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	Off	On	Yes	If the device PIN is already set through the YubiKey Manager: Registration: PIN request is not sent to user. User can register device. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: PIN request is not sent to user. User can register device. Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.
Firefox	Off	On	No	Registration: PIN request is not sent to user. User can register device. Authentication: Browser and OS combination is not supported. User cannot authenticate. This use case requires user to re-register their device.
Apple Safari (up to 13.1.2)	Off	On	No	Registration: PIN request is not sent to user. User can register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Apple Safari 14	Off	On	Yes	If the device PIN is already set through the YubiKey Manager: Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: PIN request is not sent to user. User can register device. Authentication: User cannot authenticate into resource. This use case requires user to re-register their device.

Linux

The following table describes the end user experience with the Enforce PIN setting on Linux operating system (desktop, laptop, and server) with certain browsers.

Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	On	On	Yes	Registration: Prompts user to provide PIN. Authentication: Prompts user to provide PIN.
Firefox	On	On	No	Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	On	Off	Yes	Registration: Prompts user to provide PIN. Authentication: PIN request is not sent to user during authentication. User can authenticate.
Firefox	On	Off	No	Registration: Browser and OS combination is not supported. User cannot register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Browser	Enforce PIN setting during device registration	Enforce PIN setting during authentication	Enforce PIN supported? (browser and OS)	Comments
Chrome	Off	On	Yes	If the device PIN is already set through the YubiKey Manager: Registration: PIN request is not sent to user. User can register device. Authentication: Prompts user to provide PIN. If the device PIN is NOT set: Registration: PIN request is not sent to user. User can register device. This use case requires user to re-register their device. Authentication: Browser and OS combination is not supported. User cannot authenticate.
Firefox	Off	On	No	Registration: PIN request is not sent to user. User can register device. Authentication: Browser and OS combination is not supported. User cannot authenticate.

In this section: