Understanding YubiKey PINs


The Basics

  • A YubiKey can have up to three PINs - one for its FIDO2 function, one for PIV (smart card), and one for OpenPGP.
  • The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory.
  • If you are being prompted for a PIN (including setting one up), and you're not sure which PIN it is, most likely it is your YubiKey's FIDO2 PIN.
  • If you are using a blue Security Key, FIDO2 is the only PIN you will be prompted for, as the blue Security Keys do not support PIV and OpenPGP.

Shown below is an example of what a prompt to create a FIDO2 PIN on a YubiKey might look like in the Windows operating system.

 

f2-create-pin-prompt-w10.PNG

 

From this point forward, this article will focus on FIDO2 PINs. For additional information on PIV and OpenPGP, please see the resources below.

 

More on FIDO2 PINs

Why they appear

  • FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end.
  • PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
  • If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
  • If you prefer not to be prompted for a PIN, try disabling the YubiKey's FIDO2 function, and see if that eliminates the PIN prompt, while still allowing you to sign in. Note that FIDO2 is required for certain services (e.g. personal Microsoft accounts), so disabling the function on the YubiKey will cause it to not work or not be recognized by those services.

PIN Management

A FIDO2 PIN can be set on a YubiKey with Yubico’s open source tool YubiKey Manager by navigating to ApplicationsFIDO2 and clicking Set PIN. It is also possible to set/change a YubiKey's FIDO2 PIN via Settings in Windows 10 under Accounts > Sign-in options > Security Key, and one may also be set when registering with certain services that use WebAuthn (e.g. personal Microsoft accounts).

 

Note that, in Windows, YubiKey Manager must be run as an administrator in order to open Applications > FIDO2.

 

PIN Requirements

FIDO2 PINs can be up to 128 alphanumeric characters (in other words, letters and numbers). For YubiKeys from the 5 FIPS Series, the minimum PIN length is 6. For non-FIPS YubiKeys and Security Keys, the minimum is 4. Yubico keys technically allow any ASCII256 characters to be used for a FIDO2 PIN, but since one of the component standards of FIDO2 (WebAuthn) only requires that clients (browsers/apps/operating systems) support alphanumeric characters, we recommend sticking to those for the best experience.

 

Handling an Unknown FIDO2 PIN

If you are being prompted for a FIDO2 and don't know what it is, you will need to reset the YubiKey's FIDO2 function to blank/reset the PIN. Be advised! - this procedure will effectively unregister the key with every account it has been registered with using FIDO U2F or FIDO2, so we strongly recommend taking precautionary measures (see below) prior to resetting.

 

If the FIDO2 PIN is entered incorrectly 3 times in a row, the key will need to be reinserted before it will accept additional PIN attempts (reinserting "reboots" the device). If the PIN is entered incorrectly a total of 8 times in a row, the FIDO2 function will become blocked, requiring that it be reset. The number of remaining retries can be viewed at any time in YubiKey Manager by navigating to ApplicationsFIDO2.

 

If the unknown PIN is preventing you from accessing one of your accounts, a temporary fix might be to disable your key's FIDO2 function using YubiKey Manager by unchecking FIDO2 under Interfaces > USB and clicking Save Interfaces. This may allow you to log in (or register) without needing the PIN, but note that it will not blank the PIN, nor increase the number of tries you have left, etc., so it should only be used as a temporary measure to regain access to an account and reconfigure its security settings in preparation for a FIDO2 reset.

 

If temporarily disabling FIDO2 on your key doesn't allow you to regain access, you may need to pursue alternative methods of login. Since these vary from service to service, please refer to the support documentation for the service in question (can be located via the Works With YubiKey Catalog) for specific guidance. Note that Yubico is unfortunately unable to assist with an account lockout situation like this - only the service provider in question will potentially be able to help with that.

Prior to performing a FIDO2 reset

Prior to performing a FIDO2 reset, you should:

 

  1. Determine which of your accounts will be affected
  2. Log in to those accounts and reconfigure their security settings

Any account your key has been registered with via FIDO U2F or FIDO2 will be affected by a FIDO2 reset. To determine which security protocols each of your accounts use, search for them in the Works With YubiKey Catalog, and under each service's listing, look under Security protocol support for FIDO2WebAuthnUniversal 2nd Factor (U2F), or similar.

 

For instance, in Google's listing in the WWYKC, all three of the above protocols are listed. Any accounts you have that list one or more of these protocols will likely be affected by a FIDO2 reset. Services that only list Yubico OTP, OATH-TOTP, etc., and do not include any of the aforementioned protocols should not be affected.

 

For any accounts that would be affected, you should log in, unregister the key you plan to reset, and then make sure you can log back in and modify the account's two-factor authentication settings without your YubiKey. This will ensure that you'll be able to log in and get the key re-registered after performing the reset.

 

If you have a backup YubiKey registered, which we recommend, you may not need to be as thorough, as your backup key should allow you to log in to your accounts and modify their security settings, assuming it is set up properly. However, this should be verified for certain prior to performing the reset.