Forum Discussion
Why is a PIN required for using a hardware key for MFA?
In your case it sounds like there was a PIN already set on that key if it is asking you for a PIN. Normally, the first time you enroll a key it will ask you to create a new PIN. So you'll need to reset that PIN. You can download a utility from the Yubico website to wipe the key so that you can establish a new PIN. https://support.yubico.com/hc/en-us/articles/360015654100-YubiKey-PIN-and-PUK-User-Management
Joe Stocker Thank you for your reply. That's good to know, and that does answer my question.
That's unfortunate as my ideal configuration would be multi-factor with just password (something I know) and a hardware key (something I have) (so no third factor - no PIN), which is more consistent with the way most of the other services I use have implemented FIDO keys.
Thanks again for your help.
I too feel the PIN is not necessary for 2FA as the password is the first factor and the presence of the key is the second factor.
It would be nice if things could be configured this way. Perhaps I am missing something -- if so, can someone enlighten me?
I have a YubiKey 5 nano and a YubiKey 5C NFC.
bertilak
You shouldn't be asked for a password if you are setting up a security key for Microsoft. Pins should replace the password, and a Pin is different than a password it's only stored on the device vs a password stored on a server and hashed and attacked all the time. Think of a debit card, When was the last time you changed that pin?
You basically, have something you know (pin to unlock the key) something you have the key which has the private key to perform the authentication using cryptography instead of a hash match.
