1

I have bought a FIDO-U2F/FIDO2 usb security token and managed to add it as passkey for github on my macOS (sonoma).

It didn't work for another site and I suspect that it's because the key doesn't have a PIN yet.

It is possible to set the key PIN with the fido2-token command provided with libfido2 that can be installed with brew on macOS.

But it requires a device name as argument and I don't know what device name to use. On linux we have to add a user device and the key seller gives the recipe to do so, but they don't provide any info for macOS.

Windows provide a GUI interface in the system parameters to set the key PIN, but I would prefer avoiding to use a Window machine to do this.

EDIT 1: Since I posted the question, I found out that you can see the connected usb devices by go into Apple icon > About This Mac > More Info > System Report > USB. The path might be slightly different in your version.

I do see the key listed there, as I did see it too with lsusb installed with brew, but it doesn't show the /dev I could use to talk to it.

Improve this question

1 Answer 1

Reset to default
1

After some further research I found the solution.

With libfido2 installed with brew, we can list the FIDO2 security tokens (e.g. usb keys), with the command fido2-token -L. It gives the device to use for other commands.

The manuals for the libfido2 commands and especially the fido2-token command is available here: https://developers.yubico.com/libfido2/Manuals/fido2-token.html.

$ fido2-token -L
ioreg://4295015862: vendor=0x1e0d, product=0xf1d0 (NEOWAVE NEOWAVE Winkeo FIDO2)

$ fido2-token -I ioreg://4295015862
proto: 0x02
major: 0x01
minor: 0x00
build: 0x00
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0
extension strings: hmac-secret
aaguid: 3789da91f94346bc95c350ea2012f03a
options: rk, up, noplat, noclientPin
fwversion: 0x0
maxmsgsiz: 2048
maxcredcntlst: 0
maxcredlen: 0
maxlargeblob: 0
pin protocols: 1
pin retries: undefined
pin change required: false
uv retries: undefined

As can be seen with the noclientPin, the key PIN is currently not set.

I then set the key PIN

$ fido2-token -S ioreg://4295015862
Enter new PIN for ioreg://4295015862: 
Enter the same PIN again: 

$ fido2-token -I ioreg://4295015862
proto: 0x02
major: 0x01
minor: 0x00
build: 0x00
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0
extension strings: hmac-secret
aaguid: 3789da91f94346bc95c350ea2012f03a
options: rk, up, noplat, clientPin
fwversion: 0x0
maxmsgsiz: 2048
maxcredcntlst: 0
maxcredlen: 0
maxlargeblob: 0
pin protocols: 1
pin retries: 8
pin change required: false
uv retries: undefined

As we can see the key PIN is now set.

Improve this answer
1

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.