Yubikey 5c doesn't ask for a PIN

let4be · April 11, 2024, 9:25pm

I’ve tried adding YubiKey as a Passkey to an Internet Identity to test several things…

It’s working okay but to my HUGE surprise it doesn’t ask for a pin - which is horrible for security, what happenes if someone steals it or I just lose it.

Does it mean someone can just go and brute force all Internet Identity numbers(it’s not so hard, they are all sequential and correlated with II creation date) and use this YubiKey like nothing happened?..

Seems like a GLARING security hole

let4be · April 11, 2024, 9:27pm

The only reasonable way I can see is to use Trezor’s FIDO U2F as Trezor enforces manual unlock with a pin before it can be used as U2F(or anything else for that matter)

But Trezor is bulky, I’d really like to use something like Yubikey., just not without a mandatory PIN

Topic		Replies	Views
Recent changes login my Internet identity using Yubikey - Lowering security by much DFINITY	0	595	July 14, 2021
Streamlined Internet Identity Authentication Flow: Now just a single click internet-identity	15	1639	July 11, 2022
Internet Identity (Doubt in creating a new II Anchor) Language Support Motoko	7	763	February 28, 2022
Welcome to Internet Identity. New user? Register with Internet Identity DFINITY	147	18495	November 28, 2023
Why does Internet Identity require biometric auth? General	10	1275	June 18, 2021

Yubikey 5c doesn't ask for a PIN

Related Topics