Managing PIN complexity on FIDO Security Keys

Iron Contributor

I have FIDO2 security keys working as part of Windows Hello for Business login to Windows 10 devices.

 

Whilst I can set PIN complexity as part of the user gesture PIN code, I don't seem to be able to do this when FIDO2 keys are used.

 

I am using the on KEY-ID ones that requires a PIN followed by a button press on the key to confirm physical presence.

 

Can anyone advise in this regard?

6 Replies
Hi, we have the exactly same issue, we would like to use FIDO2 keys, but the PIN security is way to bad for our security department.
Does anyone at Microsoft have an answer?
FIDO2 standard does not use complexity by default.
So 1111 and 1234 are allowed.

Hi Jan
Yes, and that is exactly the issue.
Do you know whether it is possible to apply/force complexity rules to FIDO2 devices?
Unfortunately not.

But check out this key: https://janbakker.tech/this-might-be-the-fido2-key-for-you-authentrend-atkey-pro/

You can do offline enrollment of the fingerprint, so a user is never prompted to configure a PIN. If you’re interested, please ping me on socials for a free sample.
Then what happens if the user’s fingerprint fails to be read for any reason such as wet hands?
The FIDO2 keys generally fail over to the PIN after some number of biometric fails and they won’t know the PIN.
You cannot manage as such, but you can choose the devices with enforced PIN complexity. The only ones enforcing PIN complexity are the PIN+ Series from Token2. Sales start in September 2023

https://www.token2.swiss/site/page/blog?p=posts/70