FIDO Registration Passwordless - When the page focus is removed from verifying user presence, registration fails

Gobinath Mageswaran 1 Reputation point
2021-07-05T16:01:18.387+00:00

Hello
We are in the process of implementing FIDO for an organization and currently testing various use cases. i wanted to list down a two I came across and was hoping someone can provide more clarity on the behaviour by explaining this to me or point me to some links to read more about it ( did some digging but not seen any good explanations yet :))

Senario 1

  1. User logs into aka.ms/mysecurityinfo
  2. select to register security key
  3. user is asked to enter a PIN or create a new PIN if he has not already
  4. user is asked to touch the key to verify presence

on step 4 if i click on another page or click on my open excel/word document and the screen focus is now on this new page and proceed to touch my FIDO key to verify user presence i get an error message saying i am using a private browser session and my key is not registered.

This happens all the time and was wondering why this happens or if its a bug?

Senario 2
The expected behaviour for PIN bad attempts is 4 bad PIN inputs user is asked to remove and reinsert their key. They have another 4 attempts after this.
I have noticed that if i enter 3 bad inputs and proceed to enter the right PIN on my 4ths attempt i am still not allowed to login. I get too many incorrect PIN attempts to remove and reinsert your PIN.

Wanted to know if this is expected and can be changed or a limitation of the protocol?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,892 questions
{count} votes