-
Notifications
You must be signed in to change notification settings - Fork 169
Explainer: minPinLength
Security keys are physical devices, often USB-connected, that can create public–private key pairs and sign with the private keys to authenticate a user. Websites can use them via the WebAuthn API. Several major sites allow users to register security keys for better account security, for example, Microsoft, Dropbox, GitHub, Google, and Facebook, to name a few.
Expert / high-sensitivity accounts are one user cohort, but security keys are also used by enterprises and governments. In the latter contexts, they can form part of a compliance system, for example for both public and private sectors SP800-63-3 requires user-selected memorized secrets (e.g. PINs) be a minimum of 8 characters. In order to meet SP800-63-3, enterprises can use the user verification feature of WebAuthn, which involves local entry of a PIN or use of a fingerprint reader on the security key. However, such compliance regimes often have requirements for minimum PIN lengths greater than the default minimum of 4 characters.
In order to help organizations with meeting such regulatory requirements, the current standard for security keys (CTAP 2.1) defines an extension called minPinLength. This allows the authenticator to report, when a credential is created, the authenticator's current configured minimum PIN length. Since the minimum can only be decreased by resetting the security key, which erases all credentials, an enterprise that uses this extension knows that the minimum was enforced whenever that credential is used.
In order to prevent just any site from requesting this information, the security key will only report the current minimum PIN length for sites that have been explicitly preconfigured. This configuration has to be done directly, by sending special CTAP messages to the security key. This API is not exposed over the internet. The envisioned process is that an enterprise will enable minimum PIN length reporting for its sign-in domain manually, on each security key, before distributing them to employees.
The CTAP 2.1 minPinLength extension can be exposed to the Web via WebAuthn's existing extensions mechansim. This explainer is being submitted as part of the Blink process because Blink proposes to so expose it.