Bugzilla

Using a Yubikey 5 series authenticator, I see a retry count of 7 after my first incorrect PIN entry, but after three incorrect PIN entries the authenticator is blocked and needs a power cycle. QA reports that they saw a -1 count from a different authenticator model.

Looks like we're confusing the counter for the `CTAP2_ERR_PIN_BLOCKED` code ([pinRetries](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#pinretries)) with the counter for the `CTAP2_ERR_PIN_AUTH_BLOCKED` code, which always starts at 3 ("If the authenticator sees 3 consecutive mismatches, it returns CTAP2_ERR_PIN_AUTH_BLOCKED, indicating that power cycling is needed for further operations.")

Using a Yubikey 5 series authenticator, I see a retry count of 7 after my first incorrect PIN entry, but after three incorrect PIN entries the authenticator needs a power cycle.

We can't expect the user to know that [pinRetries](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#pinretries) is counting down to the CTAP2_ERR_PIN_BLOCKED event and not the CTAP2_ERR_PIN_AUTH_BLOCKED event.

It would be better to only show the retry count when it is equal to 1, 2, or 3, so that it is always interpreted as counting down to a CTAP2_ERR_PIN_BLOCKED.