This is finally a great article demystifying non-resident keys! I got a FIDO yubikey a few months back, it came with no PIN set up, I was surprised that I could just use it like that, websites were not asking me to set it up explicitly.
I set it up via CLI. Then all websites started asking for the pin and storing the keys inside (resident keys).
Knowing that you only have limited slots, I tried deleting the pin by resetting yubikey to revert back to old behavior as there was no way of zeroizing the pin any other way (for the sake experimenting with the tech and understanding key management better, ofc pin or BIO auth is better).
And then suddenly found that I was unable to use the key to auth into my accounts I set up before. In hindsight now I know by resetting the hardware key I have reset the master key inside.
There really isn’t much well written introductions into how all of this works. Thank you for doing a great job demystifying the flow here!
I set it up via CLI. Then all websites started asking for the pin and storing the keys inside (resident keys).
Knowing that you only have limited slots, I tried deleting the pin by resetting yubikey to revert back to old behavior as there was no way of zeroizing the pin any other way (for the sake experimenting with the tech and understanding key management better, ofc pin or BIO auth is better).
And then suddenly found that I was unable to use the key to auth into my accounts I set up before. In hindsight now I know by resetting the hardware key I have reset the master key inside.
There really isn’t much well written introductions into how all of this works. Thank you for doing a great job demystifying the flow here!