Problem

When enrolling or using your FIDO2 Authentication hardware keys with PortalGuard, you are receiving a prompt to set/enter the PIN for the device. You would like to change this requirement.

Requirements

You already have FIDO2 WebAuthn setup in PortalGuard as an available authentication method. Further details can be found here: https://bio-key.atlassian.net/l/c/u1Dfnjvx

Solution

Modify the userVerification value located in the file “webauthn.js.aspx” located in the PortalGuard UI files.

1. Using a text editor running as an administrator (we recommend Notepad++) open the following file:

   1. C:\inetpub\PortalGuard_layouts\PG\webauthn.js.aspx

2. Search for “userVerification”

3. Modify this value to reflect the desired outcome

   Open

   

   1. required → The user is always required to use a PIN when using a FIDO2 WebAuthn key. The operation will fail if the PIN is not used.

   2. preferred → The user will always be prompted to enter a PIN. The operation will not fail if a PIN is not used.

   3. discouraged → The user will never be prompted to use a PIN when using a FIDO2 WebAuthn key.

4. Save this file (administrative access is required)

NOTE: Since ‘preferred' will always prompt for a PIN and this prompt cannot be skipped, ‘required’ and ‘preferred’ will function the same to the end user. The difference behind the scenes where the API call will/will not fail based on the presence of the 'AuthenticatorDataFlags.UV' flag.