OS differences in fido_dev_has_pin

[akallabeth]

Hi,

I´ve written a small application that uses fido_dev_make_cred. Depending on fido_dev_has_pin I also query a PIN from the user before calling.
Now I´ve compiled the sample on linux and windows, but observe differences in behavior (I use the same 2 yubikeys in both tests):
On linux only the stick with a PIN set is queried for input, on windows fido_dev_has_pin always returns true.

Did i read the function of fido_dev_has_pin wrong?

[martelletto]

If you are using Microsoft's webauthn.dll (which is the only way for unprivileged applications to communicate with security keys on recent versions of Windows, and is abstracted by libfido2 as a pseudo-device with path windows://hello), then there's no way for libfido2 (or any application) to know which key it is talking to or what the key supports. Since webauthn.dll supports asking for a PIN - regardless of the capabilities of the underlying authenticator - libfido2's fido_dev_has_pin() always returns true when called on windows://hello.

Please let us know if that's missing from the documentation (it might be completely absent -- our bad), and we will make sure to fix it.

[akallabeth]

@martelletto ok, thank you. I can not find much at https://developers.yubico.com/libfido2/Manuals/fido_dev_has_pin.html or are you talking about a different documentation?
as I only require the check to query the PIN with a custom dialog before calling any function, how is the workflow under windows for that? does windows://hello handle the pin query? (would be sufficient for my use case)

[martelletto]

It should be documented in https://developers.yubico.com/libfido2/Manuals/fido_dev_has_pin.html. We will fix this. Unfortunately, there is no uniform way to handle security keys and Microsoft's webauthn.dll; the latter was designed to do the former in a high-level and opaque way. The way to go is to special-case webauthn.dll in your application using fido_dev_is_winhello().