How to set a FIDO2 PIN on the SoloKey v2

Officially a FIDO2 device exposes APIs that the fido2-token CLI application as part of the fido2-tools package on Fedora Linux can use to modify a security tokens FIDO2 PIN. As it turns out a flaw in the SoloKey 2 firmware prevents this though but there is an alternative.

A FIDO2 PIN btw. is a PIN that is used for two purposes: interaction with the security tokens FIDO2 features like registration and modification as well as an additional authentication factor additional to let’s say presence.

Using fido2-token -L from the fido2-tools package you get a list of all connected FIDO2 devices:

$ fido2-token -L
/dev/hidraw0: vendor=0x1209, product=0xbeee (SoloKeys Solo 2 Security Key)

Trying to change the device PIN fails however:

$ fido2-token -C /dev/hidraw0
Enter current PIN for /dev/hidraw0: 
Enter new PIN for /dev/hidraw0: 
Enter the same PIN again: 
fido2-token: fido_dev_set_pin: FIDO_ERR_INVALID_ARGUMENT

There is a solo2-cli application but it does not support modifying the PIN. Turns out that solo-cli however (which officially does not support SoloKey 2) supports setting a PIN which also works with the SoloKey 2. Getting the CLI tool to work on Fedora however is not documented so here is how to make it work despite a bug that makes it incompatible with the current python3-fido pypi module.

I recommend to just setup a temporary python3-venv to set the pin as the tool will not be needed afterwards.

$ python -m venv --upgrade-deps /tmp/solo1
$ source /tmp/solo1/bin/activate
$ pip install fido2==0.9.3
$ pip install solo1
$ solo1 key set-pin

Any thoughts of your own?

Feel free to raise a discussion with me on Mastodon or drop me an email.


The text of this post is licensed under the Attribution 4.0 International License (CC BY 4.0). You may Share or Adapt given the appropriate Credit.

Any source code in this post is licensed under the MIT license.