How to set a FIDO2 PIN on the SoloKey v2
Officially a FIDO2 device exposes APIs that the
fido2-token CLI application as part of the
fido2-tools package on Fedora Linux can use to modify a security tokens FIDO2 PIN. As it turns out a flaw in the SoloKey 2 firmware prevents this though but there is an alternative.
A FIDO2 PIN btw. is a PIN that is used for two purposes: interaction with the security tokens FIDO2 features like registration and modification as well as an additional authentication factor additional to let’s say presence.
fido2-token -L from the
fido2-tools package you get a list of all connected FIDO2 devices:
$ fido2-token -L /dev/hidraw0: vendor=0x1209, product=0xbeee (SoloKeys Solo 2 Security Key)
Trying to change the device PIN fails however:
$ fido2-token -C /dev/hidraw0 Enter current PIN for /dev/hidraw0: Enter new PIN for /dev/hidraw0: Enter the same PIN again: fido2-token: fido_dev_set_pin: FIDO_ERR_INVALID_ARGUMENT
There is a
solo2-cli application but it does not support modifying the PIN. Turns out that
solo-cli however (which officially does not support SoloKey 2) supports setting a PIN which also works with the SoloKey 2. Getting the CLI tool to work on Fedora however is not documented so here is how to make it work despite a bug that makes it incompatible with the current
python3-fido pypi module.
I recommend to just setup a temporary
python3-venv to set the pin as the tool will not be needed afterwards.
$ python -m venv --upgrade-deps /tmp/solo1 $ source /tmp/solo1/bin/activate $ pip install fido2==0.9.3 $ pip install solo1 $ solo1 key set-pin
Any thoughts of your own?
Feel free to raise a discussion with me on Mastodon or drop me an email.