Explainer: minPinLength

Security keys are physical devices, often USB-connected, that can create public–private key pairs and sign with the private keys to authenticate a user. Websites can use them via the WebAuthn API. Several major sites allow users to register security keys for better account security, for example Microsoft, Dropbox, GitHub, Google, and Facebook, to name a few.

Expert / high-sensitivity accounts are one user cohort, but security keys are also used by enterprises. In the latter context they can form part of a compliance system, for example for AAL3. In order to meet AAL3, enterprises can use the user verification feature of WebAuthn, which involves local entry of a PIN or use of a fingerprint reader on the security key. However, such compliance regiemes often have requirements on minimum PIN lengths.

In order to help with meeting such requirements, the current standard for security keys (CTAP 2.1) defines an extension called minPinLength. This allows the authenticator to report, when a credential is created, its configured minimum PIN length. Since the minimum can only be decreased by resetting the security key, which erases all credentials, an enterprise which uses this extension knows that the minimum was enforced whenever that credential is used.

In order to prevent just any site from requesting this information, the security key will only report the minimum PIN length for sites which have been explicitly preconfigured. This configuration has to be done directly, by sending special CTAP messages to the security key. The envisioned process is that an enterprise will enable minimum PIN length reporting for its sign-in domain manually, on each security key, before distributing them to employees.

The CTAP 2.1 minPinLength extension can be exposed to the Web via WebAuthn's existing extensions mechansim. This explainer is being submitted as part of the Blink process because Blink proposes to so expose it.