Verifying the PIN / Touch policy of the PIV slots

Verifying the PIN / Touch Policy on the YubiKey

example of using attestation on slot 9a

ykman piv keys attest 9a $env:USERPROFILE\Desktop\9a.attest.crt

verify the pin policy is set correctly.

certutil -asn $env:USERPROFILE\Desktop\9a.attest.crt

look for


| | | ;
01fb: | | 04 02 ; OCTET_STRING (2 Bytes)
01fd: | | 02 03 ; ..

SEE: Two bytes, the first encoding pin policy and the second touch policy
Pin policy: 01 - never, 02 - once per session, 03 - always
Touch policy: 01 - never, 02 - always, 03 - cached for 15s

Once you've verified the PIN and Touch policy via the attestation function of YubiKey Manager, Next is to test signing a file and verify the PIN and/or Touch policy is honored. This will require the use of our Yubico PIV tool application found here

Open a elevated PowerShell Window, change to the directory you've installed the Yubico PIV tool application, for x64 it should be "C:\Program Files\Yubico\Yubico PIV Tool\bin" and than run the following commands. the second time you run the yubico piv tool command it should prompt for a PIN/Touch if you set the policies to "Always"

echo "hello world" > $env:USERPROFILE\Desktop\data.txt
yubico-piv-tool -a verify --sign -s 9a -i $env:USERPROFILE\Desktop\data.txt -o $env:USERPROFILE\Desktop\sig.bin
yubico-piv-tool -a verify --sign -s 9a -i $env:USERPROFILE\Desktop\data.txt -o $env:USERPROFILE\Desktop\sig.bin