We are using Yubikeys as WebAuthn tokens in cunjunction with SimpleSamlPHP, authproc mode. This setup works good, although we’re looking forward to the next update of the simplesaml-module-privacyidea. Anyway… There seems to be an annoying “feature” in Windows (we do have quite a number of Windows users though I fail to understand why). I guess this is not in any way a problem with PI but rather with Windows, but maybe someone here knows something about it. I don’t have any Windows devices myself so I’ve never seen the thing IRL, but from what I’m told after entering the PIN for the Yubikey and touching it there comes a new little box labelled “Windows security” (is there such a thing?) where the user has to enter the Yubikey PIN and touch it again to get to the requested service.
Now this is annoying but perhaps not a disaster, but the other day someone found a little link in that box that said “Change PIN”. What happens then is that the user can change the PIN for the Yubikey, but only for Windows in that particular device. Obviously the Yubikey PIN in PI cannot be changed that way. From then on the user has to remember two PINs… Now, even worse, apparently the windows device remembers all Yubikeys that has been used on it and the corresponding PINs, which could mean that someone cannot log in to the service on that device since someone else once used that Yubikey on it with a different PIN.
My knowledge of Windows is very weak, but perhaps someone here has an idea about how to get rid of this Windows security feature?
To my knowledge this is not a PIN of the Yubikey hardware device but for the webauthn profile.
I do not know, how you could deactivate this especially on windows.
Hm, however, in the webauthn settings you can define if you need a device with PIN or not. Could be that windows defaults to PIN and thus adds a “virtual” PIN to the webauthn profile of the yubikey.