diff --git a/crypto.c b/crypto.c
index 83f11cb..fee5579 100644
--- a/crypto.c
+++ b/crypto.c
@@ -38,6 +38,11 @@ void crypto_sha256_init()
     sha256_init(&sha256_ctx);
 }
 
+void crypto_reset_master_secret()
+{
+    ctap_generate_rng(master_secret, 32);
+}
+
 
 void crypto_sha256_update(uint8_t * data, size_t len)
 {
diff --git a/crypto.h b/crypto.h
index bb4ba38..6ca99e5 100644
--- a/crypto.h
+++ b/crypto.h
@@ -33,6 +33,7 @@ void crypto_aes256_reset_iv();
 void crypto_aes256_decrypt(uint8_t * buf, int lenth);
 void crypto_aes256_encrypt(uint8_t * buf, int lenth);
 
+void crypto_reset_master_secret();
 
 
 extern const uint8_t attestation_cert_der[];
diff --git a/ctap.c b/ctap.c
index 23fb7ae..36e3137 100644
--- a/ctap.c
+++ b/ctap.c
@@ -1994,6 +1994,14 @@ uint8_t ctap_handle_packet(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp)
             break;
         case CTAP_RESET:
             printf1(TAG_CTAP,"CTAP_RESET\n");
+            if (ctap_user_presence_test())
+            {
+                ctap_reset();
+            }
+            else
+            {
+                status = CTAP2_ERR_NOT_ALLOWED;
+            }
             break;
         case GET_NEXT_ASSERTION:
             printf1(TAG_CTAP,"CTAP_NEXT_ASSERTION\n");
@@ -2085,3 +2093,14 @@ void ctap_reset_pin_attempts()
     _flash_tries = 8;
 }
 
+void ctap_reset()
+{
+    _flash_tries = 8;
+    PIN_CODE_SET = 0;
+    DEVICE_LOCKOUT = 0;
+    memset(PIN_CODE,0,sizeof(PIN_CODE));
+    memset(PIN_CODE_HASH,0,sizeof(PIN_CODE_HASH));
+    crypto_ecc256_make_key_pair(KEY_AGREEMENT_PUB, KEY_AGREEMENT_PRIV);
+    crypto_reset_master_secret();
+}
+
diff --git a/ctap.h b/ctap.h
index 62f176c..7cb3581 100644
--- a/ctap.h
+++ b/ctap.h
@@ -229,6 +229,7 @@ int8_t ctap_leftover_pin_attempts();
 void ctap_reset_pin_attempts();
 uint8_t ctap_is_pin_set();
 uint8_t ctap_pin_matches(uint8_t * pin, int len);
+void ctap_reset();
 
 
 // Test for user presence