FIDO Registration Passwordless - When the page focus is removed from verifying user presence, registration fails
Hello
We are in the process of implementing FIDO for an organization and currently testing various use cases. i wanted to list down a two I came across and was hoping someone can provide more clarity on the behaviour by explaining this to me or point me to some links to read more about it ( did some digging but not seen any good explanations yet :))
Senario 1
- User logs into aka.ms/mysecurityinfo
- select to register security key
- user is asked to enter a PIN or create a new PIN if he has not already
- user is asked to touch the key to verify presence
on step 4 if i click on another page or click on my open excel/word document and the screen focus is now on this new page and proceed to touch my FIDO key to verify user presence i get an error message saying i am using a private browser session and my key is not registered.
This happens all the time and was wondering why this happens or if its a bug?
Senario 2
The expected behaviour for PIN bad attempts is 4 bad PIN inputs user is asked to remove and reinsert their key. They have another 4 attempts after this.
I have noticed that if i enter 3 bad inputs and proceed to enter the right PIN on my 4ths attempt i am still not allowed to login. I get too many incorrect PIN attempts to remove and reinsert your PIN.
Wanted to know if this is expected and can be changed or a limitation of the protocol?