Understanding YubiKey PINs


The Basics

 

  • Please note that each YubiKey does not contain a default FIDO2 PIN from the factory. For guidance, please review the YubiKey Technical Manual. 
  • A YubiKey can have up to three PINs - one for its FIDO2 function, one for PIV (smart card), and one for OpenPGP.
  • The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory.
  • If you are being prompted for a PIN (including setting one up), and you're not sure which PIN it is, most likely it is your YubiKey's FIDO2 PIN.
  • If you are using a Security Key Series key, FIDO2 is the only PIN you will be prompted for, as the Security Key Series keys do not support PIV or OpenPGP.

 

Shown below is an example of what a prompt to create a FIDO2 PIN on a YubiKey might look like in the Windows operating system.

 

f2-create-pin-prompt-w10.PNG

 

From this point forward, this article will focus on FIDO2 PINs. If you're having an issue with your PIV or OpenPGP PINs, refer to the following articles: 

More on FIDO2 PINs

Why they appear

  • FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end.
  • PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
  • If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
  • If you prefer not to be prompted for a PIN, try disabling the YubiKey's FIDO2 function, and see if that eliminates the PIN prompt, while still allowing you to sign in. Note that FIDO2 is required for certain services (e.g. personal Microsoft accounts), so disabling the function on the YubiKey will cause it to not work or not be recognized by those services.

PIN Management

A FIDO2 PIN can be set on a YubiKey with Yubico’s open source tool Yubico Authenticator on desktop or Android (not supported in Yubico Authenticator for iOS due to platform limitations) by navigating to the hamburger menu > Passkeys, and then accessing the meatballs menu (top right corner of the application) > Set PIN. It is also possible to set/change a YubiKey's FIDO2 PIN via Settings in Windows 11/10 under Accounts > Sign-in options > Security Key > Manage, and one may also be set when registering with certain services that use WebAuthn (e.g. personal Microsoft accounts). Resetting a YubiKey's FIDO2 function can effectively unregister the key from accounts it has been paired with using WebAuthn. However, changing its PIN from a known value to a new value (using Yubico Authenticator, Windows Settings, etc.) does not have this consequence. See below section Handling an Unknown FIDO2 PIN for more details.

 

Note that, in Windows, Yubico Authenticator will require local administator permissions in order to access the Passkeys menu.

 

PIN Requirements

FIDO2 PINs can be up to 63 alphanumeric characters (in other words, letters and numbers). For YubiKeys from the 5 FIPS Series, the minimum PIN length is 6. For non-FIPS YubiKeys and Security Keys, the minimum is 4. Yubico keys technically allow any ASCII256 characters to be used for a FIDO2 PIN, but since one of the component standards of FIDO2 (WebAuthn) only requires that clients (browsers/apps/operating systems) support alphanumeric characters, we recommend sticking to those for a consistent user experience.

 

Handling an unknown FIDO2 PIN

If you are being prompted for a FIDO2 PIN and don't know what it is, you will need to reset the YubiKey's FIDO2 function to blank/reset the PIN. Be advised! - this procedure will effectively unregister the key with every account it has been registered with using FIDO U2F or FIDO2, so we strongly recommend taking precautionary measures (see below) prior to resetting.

 

If the FIDO2 PIN is entered incorrectly 3 times in a row, the key will need to be reinserted before it will accept additional PIN attempts (reinserting "reboots" the device). If the PIN is entered incorrectly a total of 8 times in a row, the FIDO2 function will become blocked, requiring that it be reset. The number of remaining retries can be viewed at any time in YubiKey Manager by navigating to ApplicationsFIDO2.

 

If the unknown PIN is preventing you from accessing one of your accounts, a temporary fix might be to disable your key's FIDO2 function using Yubico Authenticator by opening the meatmalls menu at the top right corner of the application from the Home screen and selecting Toggle applications. This may allow you to log in (or register) without needing the PIN on any service that doesn't require User Verification, but note that it will not blank the PIN, nor increase the number of PIN retries you have remaining, etc., so it should only be used as a temporary measure to regain access to an account and reconfigure its security settings in preparation for a FIDO2 reset.

 

If temporarily disabling FIDO2 on your key doesn't allow you to regain access, you may need to pursue alternative methods of login. Since these vary from service to service, please refer to the support documentation for the service in question (can be located via the Works With YubiKey Catalog) for specific guidance.

Note: Yubico is unable to assist with any account lockout situation, with the exception of the YubiEnterprise Delivery Console. Only the service provider has the ability to assist you with account lockouts.

Prior to performing a FIDO2 reset

Prior to performing a FIDO2 reset, you should:

 

  1. Determine which of your accounts will be affected
  2. Log in to those accounts and reconfigure their security settings

Any account your key has been registered with via FIDO U2F or FIDO2 will be affected by a FIDO2 reset. To determine which security protocols each of your accounts use, search for them in the Works With YubiKey Catalog, and under each service's listing, look under Security protocol support for FIDO2/WebAuthn or Universal 2nd Factor (U2F).

 

For instance, in the Apple iCloud listing in the WWYK catalog under Tech specs, both of the above protocols are listed, but given that Universal 2nd Factor (U2F) is among them, a PIN is likely not required for the service. Whereas Microsoft accounts, for example, only support WebAuthn/FIDO2, therefore a PIN is required. Any accounts you have that list one or more of these protocols will likely be affected by a FIDO2 reset. Services that only list Yubico OTP, OATH-TOTP, etc., and do not include any of the aforementioned protocols should not be affected. Another way to identify whether a service requires a PIN or not would be to ask - am I prompted for the YubiKey in addition to entering my account password to login? If the answer is yes, then likely a PIN isn't required to log into the service with your YubiKey.

 

For any accounts that would be affected, you should log in, unregister the key you plan to reset, and then make sure you can log back in and modify the account's two-factor authentication settings without your YubiKey. This will ensure that you'll be able to log in and get the key re-registered after performing the reset.

 

If you have a backup YubiKey registered, which we recommend, you may not need to be as thorough, as your backup key should allow you to log in to your accounts and modify their security settings, assuming it is set up properly. However, this should be verified for certain prior to performing the reset. To reset the FIDO2 function of the YubiKey, please see this article.