Hello 
First of all, I have reviewed the following topics: Challenge Response problem and I can not validate challenge: “Response did not match the challenge.”
However, I don’t believe they apply in this case, and I apologize if this post is a duplicate.
I am using PrivacyIdea Credential Provider 3.8.0 with a YubiKey enrolled in WebAuthn using FIDO2.
During the login process, if the user enters the wrong PIN, the message “Wrong PIN” appears, and then it redirects back to the OTP field. If I try again to use the key to log in, even before being able to enter the PIN, the message “response didn’t match the challenge” appears.
As a workaround, I was able to use the offline token, or simply avoid entering the wrong PIN after waiting the screen lock by it self.
Could this be a configuration issue with the Credential Provider?
Thanks for reading !
hi, do you have two_step_send_* enabled? if you get back to the first step after entering the wrong pin (of the yubikey right?), submitting the first step again will again trigger the two_step_send_* setting, and if that does not trigger a challenge again, you see that message - because in the first step, you need to enter the privacyidea PIN of the yubikey token (which could also be the ad password). but iirc, if you enter the yubikey pin wrong, you should not be set back to the first step. so you could post your config + debug log
Hi!! thanks for your response.
Yes, when I mention the PIN, I mean the YubiKey PIN, not the OTP PIN.
I don’t think I have “two_step_send_” enabled.
Can we enter the AD password in the OTP field? I tried, but it wasn’t successful.
Each time I tried, I was sent back to the first step after every incorrect YubiKey PIN entry.
Here are my config and my export of logs, in this, there is one fail YubiKey PIN and a offline connexion.
If u need more information don’t hesit !