I encountered the same problem today on Windows when trying to enroll a FIDO security key with the Keeper Password Manager Desktop application. Windows sends a makeCredential with an empty pinUvAuthParam to which the security key responds with CTAP2_ERR_PIN_INVALID after user presence has been confirmed.
I assume that this is a bug in Windows Hello. Probably Windows looks at the getInfo response first, and when clientPin=true and makeCredUvNotRqd=true, it sends a zero-length pinUvAuthParam. When no PIN is set (clientPin=false), it works, as Windows does not send a pinUvAuthParam in the makeCredential request. If a PIN is set but makeCredUvNotRqd=false, it works as well, as Windows first asks for the PIN and then sends a valid pinUvAuthParam.
Using an authenticator with CTAP 2.0 or CTAP 2.1 Pre also works, as those do not have the makeCredUvNotRqd option.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6157125e-1843-46c7-8233-ee98ddea134cn%40fidoalliance.org.