How to set a FIDO2 PIN on the SoloKey v2
Officially a FIDO2 device exposes APIs that the
fido2-token CLI application as part of the
fido2-tools package on Fedora Linux can use to modify a security tokens FIDO2 PIN. As it turns out a flaw in the SoloKey 2 firmware prevents this though but there is an alternative.
A FIDO2 PIN btw. is a PIN that is used for two purposes: interaction with the security tokens FIDO2 features like registration and modification as well as an additional authentication factor additional to let’s say presence.
fido2-token -L from the
fido2-tools package you get a list of all connected FIDO2 devices:
$ fido2-token -L
/dev/hidraw0: vendor=0x1209, product=0xbeee (SoloKeys Solo 2 Security Key)
Trying to change the device PIN fails however:
$ fido2-token -C /dev/hidraw0
Enter current PIN for /dev/hidraw0:
Enter new PIN for /dev/hidraw0:
Enter the same PIN again:
fido2-token: fido_dev_set_pin: FIDO_ERR_INVALID_ARGUMENT
There is a
solo2-cli application but it does not support modifying the PIN. Turns out that
solo-cli however (which officially does not support SoloKey 2) supports setting a PIN which also works with the SoloKey 2. Getting the CLI tool to work on Fedora however is not documented so here is how to make it work despite a bug that makes it incompatible with the current
python3-fido pypi module.
I recommend to just setup a temporary
python3-venv to set the pin as the tool will not be needed afterwards.
$ python -m venv --upgrade-deps /tmp/solo1
$ source /tmp/solo1/bin/activate
$ pip install fido2==0.9.3
$ pip install solo1
$ solo1 key set-pin