Feature: Choose PIN tries amount

[bluikko]

This is a feature request to add "PIN tries amount" to configuration.

Currently if the policy is to use some other PIN try amount than the default 3, one has to manually use the PIV tool to change the PIN try amount. But after that is done, the PIN and PUK are reset to default - making the workflow very cumbersome since ES does not readily display the PUK.

[mike-csis]

Out of curiosity, what is your policy? The Yubikey allows a 1-255 range for tries.

Questions:

• Would you need to set both PIN and PUK try count?
• Would you need to be able to customize the count for each enrolment?
• Would you need to see the current count in f.ex. the display in the bottom left?
• Would you need the set count stored in the database?

[bluikko]

We have kept it very simple. 5 tries for both PIN & PUK for everyone. I would not care about individual customization, it could be an option with the other "global" configuration like management key. Perhaps a simple spin control. Some other people might prefer a list box with pre-defined values but I think a spin control would be best.

It would be a good idea to show the current count somewhere so that the PIV tool "-a status" would not be needed for checking current count.
I do not see immediately the benefit of storing this in database if there is no customization during enrollment (only in the configuration "gear icon").

[mike-csis]

I have stumbled upon some issues when setting the retry count to a high number.. I'm reaching out to yubico to confirm.

[mike-csis]

@bluikko could you try this version?

Take a backup of your settings and store json files first. By default, it will set PIN/PUK retries to 3/3, but you can alter it in the settings dialog. The maximum values are 127/127, found through testing on a v3 Yubikey (firmware 3.3.7). I've reached out to Yubico for clarification.

ES-0.3.5.1.zip

[bluikko]

I have tested some of the functionality of the 0.3.5.1 package you shared and have some feedback:

• After doing "Reset PIN", the "Tries (PIN/PUK)" still show "0 remaining", even after unplug/re-plug the YubiKey for a few seconds - I guess this is normal and the YK must be re-connected for the status to update? I think it could be better to blank out the "0 remaining" and show nothing for "Tries (PIN/PUK)" immediately when "Reset PIN" action is done to avoid confusion.
• Doing a "Reset PIN" action does not update the max tries count - if the YK was provisioned with 3 tries, it does not update to whatever is the current max tries value in configuration. Ideally "Reset PIN" action could re-program the max tries to follow current configuration.

I will try the rest of the functionality when I can in beginning of next week.

[bluikko]

I had the opportunity to try to program a YubiKey that was just terminated, the enrollment fails always with error "Unable to set PIN and PUK retry counts" regardless of if PIN/PUK count is the default 3/3 or something else like 5/3 or 5/5.

Looking forward to testing on a brand new YK later if that makes any difference.

[mike-csis]

@bluikko I added the setting of retry counts to the Reset PIN form and noticed something disturbing. If I set the PIN/PUK counts before resetting the PIN, it will completely block the key (a reset is necessary)..

So I did some more testing and found that setting the PIN/PUK counts after setting the new PIN, it will correctly show the desired remaining count (And the PIV tool will not report the card as blocked). (I also refresh the UI now after resetting a PIN).

I'll look into the enroll-part, as it seems it may have the same bug (as you've encountered 0 tries left, which indicates a blocked card).

[mike-csis]

@bluikko, try this out.

Also, which retry counts are you trying to set? .. Something divisible by 16, or the 5 you talked about before?

ES-0.3.5.2.zip

[bluikko]

Previously I had tested 5/3 and 5/5 (PIN/PUK). These counts work when setting with yubico-piv-tool.

By the way, when the try-count is changed with yubico-piv-tool, the card is reset to default PIN or PUK. This is the big reason why it is so cumbersome for the workflow but it sounds like it is for a reason like you found out. I'll test the new version within few days.

[mike-csis]

Ooh. Hmm. I've just noticed I might have been testing using the default pin .. So enrolling actually doesn't work right now.. Stand by.

Good detail. I had completely missed that.

[mike-csis]

Without the above info, the reset PIN dialog had been broken. I would have set just the PIN, but not the PUK, leading to that info being useless.

Try this one.
ES-0.3.5.3.zip

[bluikko]

I have not had a chance to test on a new token yet. I hope I can test enrollment next week.

But I tried to do "Reset PIN" on a YK with PIN blocked, regardless of if the PIN/PUK tries were 3/5 or 3/3 (tried only two combinations) the Reset PIN operation fails with two messages:
Warning - "Unable to set PIN/PUK try counts"
Error - "An error occurred while resetting the PIN code. Please try again."

So I reset the PIN on 0.3.5.0 without issues.

[bluikko]

Ignore the above comment. The PUK was incorrect and 0.3.5.0 just thought it reset the PIN while in practice it could not due to PUK wrong.

[bluikko]

On a brand new YubiKey, never used before, enrollment on 0.3.5.3 fails with error "Unable to set PIN and PUK retry counts".
The PIN/PUK counts I tested were 5/3 and 3/3.

[Genbox]

@bluikko There might be changes to the API or newer devices. We will update to the latest version of the Yubikey library and test out your scenario.

[tk4100]

Adding in my interest this feature! I have plenty of v4.3.3 keys to test with, if that'd be relevant.

[pglomski]

Also very interested in seeing this feature implemented. The 1.5.0 yubikey api released at the end of November '17 has getters and setters for pin_retries baked in.

[DSBloom]

I am working on my own enrollment station type app, but I am using your YubiLib project, and I too would love to be able to set the PIN/PUK retries. The current code does not appear to be working.