Yubico Forum ...visit our web-store at 2016-01-20T16:50:26+01:00 https://forum.yubico.com/feed.php?f=26&t=2146 2016-01-20T16:50:26+01:00 2016-01-20T16:50:26+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8205#p8205 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]>
I've decided instead of generating my authentication key on the Yubikey to generate it off-key so I can create a backup just in case.

I'll keep an eye out to see how the new spec, or your implementation, will handle locked keys.

Statistics: Posted by KenMacD — Wed Jan 20, 2016 4:50 pm

]]> 2016-01-20T14:16:46+01:00 2016-01-20T14:16:46+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8204#p8204 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]>
In short, we are currently waiting observing developments which will decide how we will bring this back.

Statistics: Posted by Tom2 — Wed Jan 20, 2016 2:16 pm

]]> 2016-01-20T03:52:45+01:00 2016-01-20T03:52:45+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8201#p8201 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]>
Also is there anything to prevent malware from coming along and locking the pins?

It would be really nice if there was a way for the counter to reset with every power-off. This is the way encrypted WD My Passport drives work, and seems like it would make a brute-force attack pretty much impossible.

Statistics: Posted by KenMacD — Wed Jan 20, 2016 3:52 am

]]> 2016-01-08T20:32:42+01:00 2016-01-08T20:32:42+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8133#p8133 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]> Tom2 wrote:

That's by specification.
Open PGP
http://g10code.com/docs/openpgp-card-3.0.pdf


Thank you for the reference. I notice that none of the OpenPGP specs (v1.0, 2.0, 3.0) actually include setting the retry counter to a specific value. They only say that at the reset it should return to the default.

However I find it very convenient and user-friendly that NEO extends this and allows me to set it to (say) 5 instead of 3, because (a) this is the policy where I employ it, and (b) it is perfectly convenient for me. So I'm very much disappointed that Yubico decided to get "strict" with Yubikey 4. There doesn't seem to be a reason (nor a need) for it.

Update
It is understandable why the standard may want to preclude users from being able to change the retry counter. Preventing the organizations that own and deploy such devices from setting whatever policy on the number of retries they see fit, seems very wrong - and I've yet to see a standard explicitly demanding this.

Statistics: Posted by Uriel — Fri Jan 08, 2016 8:32 pm

]]> 2016-01-08T16:39:53+01:00 2016-01-08T16:39:53+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8131#p8131 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]>
Open PGP

http://g10code.com/docs/openpgp-card-3.0.pdf

Statistics: Posted by Tom2 — Fri Jan 08, 2016 4:39 pm

]]> 2016-01-07T04:12:54+01:00 2016-01-07T04:12:54+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8123#p8123 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]> Tom2 wrote:

That feature is not available on the YubiKey 4


Wha...? Are you saying that on YubiKey 4 pin-retries is hard-coded to be "three times"?!

Statistics: Posted by mouse008 — Thu Jan 07, 2016 4:12 am

]]> 2016-01-05T12:17:53+01:00 2016-01-05T12:17:53+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8114#p8114 <![CDATA[Re: YubiKey 4 - cannot set PIN retry counter to desired valu]]> Statistics: Posted by Tom2 — Tue Jan 05, 2016 12:17 pm

]]> 2016-01-04T04:36:05+01:00 2016-01-04T04:36:05+01:00 https://forum.yubico.com/viewtopic.php?t=2146&p=8109#p8109 <![CDATA[YubiKey 4 - cannot set PIN retry counter to desired value?]]>
Code:
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" "scd apdu 00 f2 00 00 03 0a 0a 0a" /bye
D[0000]  90 00                                              ..
OK
D[0000]  90 00                                              ..
OK


On YubiKey 4 I'm getting a different result:
Code:
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" "scd apdu 00 f2 00 00 03 0a 0a 0a" /bye
D[0000]  90 00                                              ..
OK
D[0000]  6D 00                                              m.
OK
$ gpg --card-status
Application ID ...: D2760001240102010006041398550000
Version ..........: 2.1
......
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0


Does it mean that the command to set retry counters on YubiKey 4 is not f2? What is it then?

Help would be appreciated!

Statistics: Posted by mouse008 — Mon Jan 04, 2016 4:36 am

]]>