My definition of a PIN is a password that can safely be short (i.e. low entropy), which means you can only use it against a system capable of enforcing a rate limit.
That can be local trusted hardware (such as a secure enclave, a Yubikey etc.) or a remote backend via something like SRP.
> If the passkey requires a PIN, I don't bother. I just can't be bothered to remember it.
Then use your password! A PIN can, but does not have to, be short :) FIDO-compliant authenticators have to accept up to 255 UTF-8 characters; you're by no means limited to a numeric 4-digit code.
My definition of a PIN is a password that can safely be short (i.e. low entropy), which means you can only use it against a system capable of enforcing a rate limit.
That can be local trusted hardware (such as a secure enclave, a Yubikey etc.) or a remote backend via something like SRP.
> If the passkey requires a PIN, I don't bother. I just can't be bothered to remember it.
Then use your password! A PIN can, but does not have to, be short :) FIDO-compliant authenticators have to accept up to 255 UTF-8 characters; you're by no means limited to a numeric 4-digit code.