On June 12, 2022 (Japan Time), the Salesforce <Summer '22> update was released, featuring the updated support for WebAuthn (FIDO 2). Now, while registering a new security key, the key will request the user to set up a PIN.
Following these changes, countless inquiries have arisen regarding using the FIDO security key. Thus, this article aims to explain the differences due to the introduction of FIDO 2 by Salesforce.
Previously, MFA with the FIDO security key was [U2F], but with the release, there has been a shift from U2F to FIDO2 that brings with it what is possibly the most significant change for users: the introduction of PINs.
This PIN will be created during the set-up process and will be required for all subsequent device uses. In essence, this PIN then serves as a kind of proof of ownership of the device.
Contents
● Asked for the PIN when you cannot recall setting it up
According to FIDO 2, the PIN entry is required to access the key. This PIN is set up when you register the key for the first time, so this request may not be for PIN entry but instead for PIN setup.
● Forgetting the PIN
Upon repeatedly entering an incorrect PIN, the device may be locked.
The initial request for PIN setup is often mistaken as a request for PIN entry, so if this is your first time using the key, the request is for PIN setup.
If this is not your first time and you have simply forgotten your PIN, there are two options.
The key will lock if an incorrect PIN is entered eight times in a row. If this occurs, reset the device and register it again as a new device.
● Key is locked
The key will lock if an incorrect PIN is entered eight times in a row. If this occurs, reset the device and register it again as a new device.
● Changes to previously used keys
Despite the update, continued use of the old U2F keys is possible; there is no need to set up a PIN.
※Be careful while sharing a key; when a PIN is set for the key, everyone using the key will be required to enter the new PIN.
※Also, if you reset the key, this will result in it being reset for all the other users as well. For more, read the Resetting the key section.
● Changing the PIN
The device will require the current PIN and a new PIN to replace it to change the existing PIN. Please note that if an incorrect PIN is entered eight times, the key will lock and need resetting.
To change the password from your Windows settings, navigate to
Windows Account Settings → Sign-in Options → Click "Manage" of "Security Key" → Click "Change" button
Then enter the current PIN and new PIN to make the change.
● Resetting the PIN
Here, it is essential to note that upon resetting the key, you will need to re-register all users, services, and the key.
※The reset key will be different from the key used thus far.
Windows Account Settings → Sign-in Options → Click "Manage" of "Security Key" → Click "Reset" button
Following this, a warning will appear. Click Continue, then follow the on-screen instructions detailing inserting, touching, resetting the key, and so on.
