FIDO2 Security Keys. To PIN or not to PIN?


Whether to require a PIN when using a FIDO2 security key depends on various factors, including the service provider's authentication settings. This results in situations where some services always prompt for a PIN, while others never do - so we have decided to clarify these aspects.

In certain scenarios, mandating a PIN for every authentication attempt may be crucial to ensure maximum security. However, this approach could prove inconvenient for users, particularly if they need to authenticate frequently. Conversely, permitting authentication without a PIN may enhance user convenience but could potentially compromise security. Therefore, striking a balance between security and usability is paramount when determining whether to enforce a PIN requirement.

Service providers have the flexibility to opt for requiring a PIN for every authentication attempt, prompting for a PIN only when one is set, or never requesting a PIN at all. Additionally, users can override service settings and enforce a PIN request by enabling the "always_uv" setting on their FIDO2 security keys. This ensures that a PIN is always required, irrespective of the service's preferences. For more detailed information on FIDO2 security keys, PIN protection, and their configuration, please refer to our comprehensive guide available here.


Did you know?

Token2 is offering currently the most secure FIDO2 keys for enterprise customers, known as the PIN+ Series FIDO2 keys. These keys, certified by the FIDO alliance, enforce PIN complexity at the firmware level. This unique feature is not available with other keys, even those marked as FIPS-certified.