YubiKey smart card deployment guide

Laura

Created May 12, 2020 13:44 - Updated March 25, 2025 22:36

Introduction

Yubico changes the game for strong authentication, providing superior security with unmatched ease-of-use. Our core invention, the YubiKey, is a small USB and NFC device supporting multiple authentication and cryptographic protocols. With a simple touch, it protects access to computers, networks, and online services for the world’s largest organizations.

PIV and YubiKeys

The YubiKey 5 Series devices, YubiKey 4 Series devices, and the YubiKey FIPS Series devices all support the Personal Identity Verification (PIV) application specified in the National Institute of Standards and Technology (NIST), SP 800-73-4 document, Interfaces for Personal Identity Verification. Microsoft Windows supports traditional PIV smart cards for user authentication, allowing the YubiKey to be utilized as a strong authentication solution.

The YubiKey Smart Card Minidriver extends the support of the YubiKey on Windows from just authentication to allowing Windows to load and directly manage certificates on it. This allows for an easy to use, easy to deploy scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the YubiKey. It also adds additional capabilities such as multiple authentication certificates on one YubiKey, and supports Windows' integrated PIN unblocking functionality, among other capabilities.

PIV deployment

This document covers the basic steps required to set up an Active Directory domain environment for smart card authentication, including considerations before provisioning YubiKeys for smart card login. We recommend that a qualified domain administrator be in charge of the process and that you use these instructions as a guideline for deployment. Rather than cover the complexities inherent in a corporate environment (for example, an enterprise root certification authority, multiple subordinate certificate authorities, certificate revocation lists, and so on), these instructions cover only the basic topics.

YubiKey and YubiKey Smart Card Minidriver deployment guides

YubiKey Smart Card Minidriver features
Overview of the features and functions the YubiKey Smart Card Minidriver adds to the native Windows smart card framework.

YubiKey smart card deployment considerations
YubiKey Smart Card Minidriver environmental and system requirements and compatibility, as well as items to consider prior to setup.

Setting up Windows Server for YubiKey PIV authentication
Configuring Windows Server for smart card authentication using the YubiKey.

Smart card login for user self-enrollment
Steps on setting up Windows Server to allow users to enroll their own YubiKeys as smart cards directly.

Smart card login for enroll on behalf of
Steps on setting up Windows Server to allow IT admins, service desk staff or others to enroll YubiKeys on behalf of other users.

Smart card deployment: Manually importing user certificates
Instructions on importing user certificates created on a different server.

Deploying the YubiKey Smart Card Minidriver to workstations and servers
How to deploy the YubiKey Smart Card Minidriver to endpoints and servers.

YubiKey PIN and PUK user management
How users and administrators can set or change the PIN and PIN Unlock Key (PUK)

Smart card basic troubleshooting
Basic troubleshooting for the YubiKey as a PIV smart card with Windows.

Getting additional help

For more information, and to get help with your YubiKeys, see:

 Tip: When filing a ticket, to assist in diagnosing issues, we recommend that you include a log file containing the issue observed. To enable the debug log file, add the following registry key. Log files will be created for each running process in C:\Logs:
Key: HKLM\Software\Yubico\ykmd
Value: DebugOn (DWORD) - to enable logging set value to 1.

Microsoft tools or products - for help with these, contact Microsoft directly.

 Warning: Yubico Support is limited to addressing issues regarding the direct use of YubiKeys with a deployed Windows Active Directory Certificate Services (AD CS). Issues   falling outside of this responsibility include but are not limited to inaccessible CRL(s), domain trust issues, expired server certificates, cached credentials, Kerberos ticket issues and other features outside of smart card authentication and issuance.

 Note: 
The YubiKey Bio Multi-protocol Edition supports using fingerprint verification in lieu of the PIN when performing cryptographic operations. In the case of PIV smart card however, to provide users with this fingerprint option, client software or middleware is required. Yubico has implemented support for this in the Yubico Minidriver from version 4.6.1 (only available for Windows OS). If users attempt to use PIV smart card on the YubiKey Bio Multi-protocol Edition without supporting middleware, they will encounter limitations.

In scenarios where supporting middleware is not available or not utilized, users can still access the PIV application on the YubiKey Bio Multi-protocol Edition. However, they will not have the option to utilize fingerprint authentication for cryptographic operations. Instead, they will need to rely on traditional methods such as entering a PIN.

While users can still access the PIV application and perform cryptographic operations, they miss out on the convenience and potentially enhanced security offered by biometric authentication. Without the fingerprint option, users may need to rely on the PIN.

Why Yubico

Products

YubiKeys

Services

Software

Need some help?

Solutions

Use Cases

Industries

Resources

Learn

Best practices

Success stories

Company

Who we are

Talk to us

What we do

Join us

Support

Get started