Please provide / document a method for controlling whether a PIN is requested

[tmo1]

I've been experimenting with the provided example code (credential.py, hmac-secret.py) with a Yubico Security Key running firmware 5.4.3 (with support for 'U2F_V2', 'FIDO_2_0', and 'FIDO_2_1_PRE') and a PIN configured, and no matter what I try, I can't control when I'm asked for a PIN and when I'm not - make_credential always asks for a PIN, and get_assertion never does, no matter what options I try to set.

[dainnilsson]

This behavior is defined by the WebAuthn and CTAP2 specification, and thoroughly documented there. A 5.4 YubiKey with a PIN set will always require PIN verification when creating a new credential. Whether or not you are prompted for PIN when going an assertion depends on the value of userVerification parameter as described here https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria

Note that the UserInteraction implementation in the example code caches the PIN, so you will not be prompted for it more than once.

[tmo1]

Thank you for the help.

This behavior is defined by the WebAuthn and CTAP2 specification, and thoroughly documented there.

Can you be more specific?

A 5.4 YubiKey with a PIN set will always require PIN verification when creating a new credential

Is this per FIDO spec, or a Yubico 5.4 implementation detail? If the latter, is it documented somewhere?

Whether or not you are prompted for PIN when going an assertion depends on the value of userVerification parameter as described here https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria

That's Webauthn - we're talking about pure CTAP.

The fido2-assert CLI tool, for example, has the -v option to "prompt the user for a PIN and request user verification from the authenticator." I'm trying to understand whether there's any similar option that can be set / unset when using the Python bindings.