How to set a FIDO2 PIN on the SoloKey v2

Officially a FIDO2 device exposes APIs that the fido2-token CLI application as part of the fido2-tools package on Fedora Linux can use to modify a security tokens FIDO2 PIN. As it turns out a flaw in the SoloKey 2 firmware prevents this though but there is an alternative.

A FIDO2 PIN btw. is a PIN that is used for two purposes: interaction with the security tokens FIDO2 features like registration and modification as well as an additional authentication factor additional to let’s say presence.

Using fido2-token -L from the fido2-tools package you get a list of all connected FIDO2 devices:

$ fido2-token -L
/dev/hidraw0: vendor=0x1209, product=0xbeee (SoloKeys Solo 2 Security Key)

Trying to change the device PIN fails however:

$ fido2-token -C /dev/hidraw0
Enter current PIN for /dev/hidraw0: 
Enter new PIN for /dev/hidraw0: 
Enter the same PIN again: 
fido2-token: fido_dev_set_pin: FIDO_ERR_INVALID_ARGUMENT

There is a solo2-cli application but it does not support modifying the PIN. Turns out that solo-cli however (which officially does not support SoloKey 2) supports setting a PIN which also works with the SoloKey 2. Getting the CLI tool to work on Fedora however is not documented so here is how to make it work despite a bug that makes it incompatible with the current python3-fido pypi module.

I recommend to just setup a temporary python3-venv to set the pin as the tool will not be needed afterwards.

$ python -m venv --upgrade-deps /tmp/solo1
$ source /tmp/solo1/bin/activate
$ pip install fido2==0.9.3
$ pip install solo1
$ solo1 key set-pin