Why is a PIN required for using a hardware key for MFA?

%3CLINGO-SUB%20id%3D%22lingo-sub-2349304%22%20slang%3D%22en-US%22%3EWhy%20is%20a%20PIN%20required%20for%20using%20a%20hardware%20key%20for%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349304%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20pilot%20using%26nbsp%3B%3CSPAN%3EFIDO2%3C%2FSPAN%3E%20hardware%20keys%20for%20MFA%20with%20Office%20365.%20I%20see%20the%20option%20to%20add%20a%20hardware%20key%20in%20my%20Office%20365%20account%20security%20options.%20After%20inserting%20my%20hardware%20key%2C%20I%20get%20a%20message%20in%20Microsoft%20Edge%20that%20says%20%22PIN%20required%20-%20Enter%20the%20PIN%20for%20your%20security%20key%22.%20This%20is%20a%20Yubikey%2C%20and%20it%20is%20not%20currently%20registered%20as%20an%20authentication%20method%20on%20my%20account.%20I%20don't%20have%20a%20PIN%20for%20it.%20Why%20am%20I%20being%20asked%20for%20this%3F%20I%20want%20to%20use%20this%20key%20my%20MFA%20authentication%20method%2C%20replacing%20my%20usual%20method%20of%20a%20mobile%20phone%20authenticator%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398823%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20a%20PIN%20required%20for%20using%20a%20hardware%20key%20for%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398823%22%20slang%3D%22en-US%22%3EMicrosoft%20has%20chosen%20to%20require%20a%20PIN%20for%20their%20implementation%20of%20FIDO2%20because%20if%20someone%20loses%20the%20key%2C%20they%20don't%20want%20it%20to%20be%20used%20as%20single%20factor%20(something%20you%20have)%20and%20they%20instead%20want%20it%20to%20be%20multi-factor%20(something%20you%20know%2C%20PIN%20%2B%20something%20you%20have).%3CBR%20%2F%3EIn%20your%20case%20it%20sounds%20like%20there%20was%20a%20PIN%20already%20set%20on%20that%20key%20if%20it%20is%20asking%20you%20for%20a%20PIN.%20Normally%2C%20the%20first%20time%20you%20enroll%20a%20key%20it%20will%20ask%20you%20to%20create%20a%20new%20PIN.%20So%20you'll%20need%20to%20reset%20that%20PIN.%20You%20can%20download%20a%20utility%20from%20the%20Yubico%20website%20to%20wipe%20the%20key%20so%20that%20you%20can%20establish%20a%20new%20PIN.%20%3CA%20href%3D%22https%3A%2F%2Fsupport.yubico.com%2Fhc%2Fen-us%2Farticles%2F360015654100-YubiKey-PIN-and-PUK-User-Management%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.yubico.com%2Fhc%2Fen-us%2Farticles%2F360015654100-YubiKey-PIN-and-PUK-User-Management%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am trying to pilot using FIDO2 hardware keys for MFA with Office 365. I see the option to add a hardware key in my Office 365 account security options. After inserting my hardware key, I get a message in Microsoft Edge that says "PIN required - Enter the PIN for your security key". This is a Yubikey, and it is not currently registered as an authentication method on my account. I don't have a PIN for it. Why am I being asked for this? I want to use this key my MFA authentication method, replacing my usual method of a mobile phone authenticator app.

2 Replies
Microsoft has chosen to require a PIN for their implementation of FIDO2 because if someone loses the key, they don't want it to be used as single factor (something you have) and they instead want it to be multi-factor (something you know, PIN + something you have).
In your case it sounds like there was a PIN already set on that key if it is asking you for a PIN. Normally, the first time you enroll a key it will ask you to create a new PIN. So you'll need to reset that PIN. You can download a utility from the Yubico website to wipe the key so that you can establish a new PIN. https://support.yubico.com/hc/en-us/articles/360015654100-YubiKey-PIN-and-PUK-User-Management

@Joe Stocker Thank you for your reply. That's good to know, and that does answer my question.

 

That's unfortunate as my ideal configuration would be multi-factor with just password (something I know) and a hardware key (something I have) (so no third factor - no PIN), which is more consistent with the way most of the other services I use have implemented FIDO keys.

 

Thanks again for your help.