From 40703945d1f3b82348a30521850277e0664aefa7 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sat, 11 Apr 2026 17:20:43 +0200
Subject: [PATCH] fido2prf: try to assert without a PIN first

For my device that has a screen for the PIN, supplying any PIN will
cause the assertion to fail. Try doing it without the PIN first.

(it's impossible to enter an empty PIN via getPIN in the current code)
---
 fido2prf/fido2prf.go | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/fido2prf/fido2prf.go b/fido2prf/fido2prf.go
index 59029cb..a1b4ab8 100644
--- a/fido2prf/fido2prf.go
+++ b/fido2prf/fido2prf.go
@@ -98,23 +98,38 @@ func (i *Identity) assert(nonce []byte) ([]byte, error) {
 			return nil, err
 		}
 
-		pin, err := i.getPIN()
-		if err != nil {
-			return nil, err
-		}
-
+		// Try without PIN first (for devices that handle PIN on-device).
 		assertion, err := device.Assertion(
 			i.relyingParty,
 			make([]byte, 32),
 			[][]byte{i.credentialID},
-			pin,
+			"",
 			&libfido2.AssertionOpts{
 				Extensions: []libfido2.Extension{libfido2.HMACSecretExtension},
 				HMACSalt:   hmacSecretSalt(nonce),
 				UV:         libfido2.True,
 			},
 		)
-		if err != nil {
+		if errors.Is(err, libfido2.ErrPinRequired) {
+			pin, err := i.getPIN()
+			if err != nil {
+				return nil, err
+			}
+			assertion, err = device.Assertion(
+				i.relyingParty,
+				make([]byte, 32),
+				[][]byte{i.credentialID},
+				pin,
+				&libfido2.AssertionOpts{
+					Extensions: []libfido2.Extension{libfido2.HMACSecretExtension},
+					HMACSalt:   hmacSecretSalt(nonce),
+					UV:         libfido2.True,
+				},
+			)
+		}
+		if errors.Is(err, libfido2.ErrNoCredentials) {
+			continue
+		} else if err != nil {
 			return nil, err
 		}