YubiKey PIN and PUK User Management on Windows


manual-icon.svg Note:
The YubiKey Bio Multi-protocol Edition supports using fingerprint 
verification in lieu of the PIN when performing cryptographic operations. 
In the case of PIV smart card however, to provide users with this fingerprint
option, client software or middleware is required. Yubico has implemented
support for this in the Yubico Minidriver from version 4.6.1. If users
attempt to use PIV smart card on the YubiKey Bio Multi-protocol Edition
without supporting middleware, they will encounter limitations.

In scenarios where supporting middleware is not available or not utilized,
users can still access the PIV application on the YubiKey Bio Multi-protocol
Edition. However, they will not have the option to utilize fingerprint
authentication for cryptographic operations. Instead, they will need to rely
on traditional methods such as entering a PIN.

While users can still access the PIV application and perform cryptographic
operations, they miss out on the convenience and potentially enhanced
security offered by biometric authentication. Without the fingerprint
option, users may need to rely on the PIN.

This page details using the Windows native interface with the Yubico Minidriver to manage the PIN and PUK on the YubiKey PIV function. For users on Linux or macOS, YubiKey Manager should generally be used, although note that in macOS, the Terminal command sc_auth changepin can be used to change the PIN.

Setting the PIN

Once a YubiKey is registered, the user’s PIN should be changed if the default value (123456) is still set. Once the user has logged into his account, he can change the PIN of a YubiKey connected to his system as follows:

  1. Use Ctrl+Alt+Del to enter the lock screen.

  2. Select Change a Password from the options presented.

  3. The user is prompted to enter the current PIN, as well as the new PIN.

  4. Press Enter to commit the new PIN.

PIN Unblock

By default, the user PIN is blocked when three consecutive incorrect PINs have been entered. The PIN Unblock Code (PUK) is used for unblocking the User PIN. If both the PIN and the PUK are blocked, the YubiKey must be reset, which deletes any loaded certificates and returns the YubiKey to a factory default state.  

The YubiKey Minidriver will block the PUK if it is set to the factory default value. Once the PUK is blocked, it cannot be used unless the PIV applet is reset. To use the PUK, it must be first set with the YubiKey Manager before using the YubiKey Minidriver to load or modify certificates on the YubiKey PIV Applet.

If using the YubiKey Manager, the command below will prompt the user to set a new PUK value:

ykman piv change-puk

The current and new values for the PUK should be entered in alphanumeric text. These values are not automatically recorded, and should be noted for future use.

When unblocking the PIN via the Windows 7 logon interface, Windows requires the PIN unblock code (PUK) to be typed in as hexadecimal digits.  This means that if your PUK is 12345678, to unlock a pin through the Windows UI, you must type the ASCII hex-encoded bytes of the PUK string (in this case, the unlock code would be 3132333435363738).  Refer to an ASCII chart (for example, www.asciitable.com) to encode a PUK in hexadecimal.

To unblock the user PIN

  1. With the YubiKey inserted, attempt to log in at the Windows login screen. When the PIN is blocked, the “change a password” screen is displayed. The following screenshot is an example using Windows 10. 

1.png

  1. Select the checkbox for Unblock smart card.

  2. On Windows 7 enter the PUK in the Response field in hexadecimal format.. (example: the default value of 12345678 in hexadecimal format is 3132333435363738)
    For Windows 8 and above and Server 2012 and up, the PUK can be entered as normal text in the PIN Unblocking field.

  3. In the New PIN and Confirm PIN fields, enter a new, properly formatted PIN, and then press Enter.

  4. Remove and then reinsert the YubiKey, and test the new PIN to verify you can access the account.

Note: To enable this function, the "Allow Integrated Unblock screen to be displayed at the time of logon" Group Policy Object must be set. This setting is located in:

Computer Configuration > Administrative Templates > Windows Components > Smart Card

 

Next: Smart Card Basic Troubleshooting