Using Your YubiKey as a Smart Card in macOS

This article applies to:


Use the information in this article if you want to secure your Mac device using native tools provided with the macOS operating system. If you want to require a YubiKey when logging in to your Mac device, you will need to use our Mac OS Login Tool instead. 

How To Use Your YubiKey as a Smart Card with macOS

Requirements

Setting Up Your YubiKey and Pairing with macOS

  1. Download and install YubiKey PIV Manager on your Mac.
  2. Open the YubiKey PIV Manager application and insert your YubiKey into an available USB port.
  3. If your YubiKey has not been set up previously with YubiKey PIV Manager, you will be prompted to create a new PIN. If your YubiKey has been set up previously with YubiKey PIV Manager, click the Setup for macOS button, click Yes, and follow the prompts.
  • Use a 6-8 digit number for your new PIN and note it for future reference. Do not use letters or other characters in your PIN.
  • We recommend you leave the other options at their default setting. For more information about the Management Key, see the YubiKey PIV Manager User’s Guide.
  1. When prompted, remove and re-insert the YubiKey to initialize the pairing process.
  2. To begin the Smart Card Pairing, click Pair.
  3. To allow pairing, enter your Mac User Name and Password.
  4. Enter the PIN you created in Step 3.
  5. When prompted, enter your login keychain password.

Congratulations, your Mac is now paired with your YubiKey! The next time you want to securely log in to your Mac, insert your YubiKey and enter your PIN.

How to Unpair Your YubiKey and PIV Login from macOS

To unpair your PIV login from macOS, follow the procedures below. You can choose to delete all certificates that were installed on your YubiKey when you paired the device with macOS, or only the certificates that were added for logging in to macOS. Also included are reset instructions so that macOS will no longer prompt you to pair your YubiKey or a smart card whenever the device(s) are detected.

Removing Certificates from the YubiKey

To delete all of the certificates on the YubiKey

Use this procedure if you want to remove the certificates created when you installed the YubiKey PIV Manager to pair your YubiKey with macOS. If you want to keep your certificates, skip to the next procedure.

  1. Open the YubiKey PIV Manager.
  2. Click Manage device PINs.
  3. Click Change PIN.
  4. In the Current PIN field, enter a 6-8 character PIN that is not your current PIN.
  5. In the New PIN and Repeat new PIN fields, enter a 6-8 character matching PIN (for example, 12345678).
  6. Click OK. An error appears with the message “PIN verification failed. 2 tries remaining.”
  7. Repeat steps 3-6 to change your PIN until you see the Manage device PINs window.
  8. If you previously provisioned your YubiKey, or if you chose to set a Personal Unlocking Key (PUK) and management key, you will need to lock out the PUK. To do this:
  9. In the Manage device PINs window, click Change PUK.
  10. Repeat steps 3-6 to change your PUK until you see the Manage device PINs window.
  11. Click Reset device.
  12. Click OK.

To delete only the certificates created after completing the macOS login instructions

Use this procedure if you want to remove only the certificates created for macOS login.

  1. Open the YubiKey PIV Manager.
  2. Click Certificates.
  3. On the Authentication tab, click Delete certificate.
  4. On the Key Management tab, click Delete certificate.

Removing the Smart Card Pairing from macOS 

To remove a single YubiKey or smart card from macOS login

  1. Open Terminal.
  2. Run: sc_auth list [username] (for example, if your account name is John, run “sc_auth list john”).
  3. Highlight and copy (Command+C) the hash listed for your user.
  4. Run: sc_auth unpair -h [hash]

To remove all paired YubiKeys and smart cards for a single user

  1. Open Terminal.
  2. Run: sc_auth unpair -u [username] (for example, if your account name is John, run “sc_auth unpair john”).

To remove all paired YubiKeys and smart cards for the currently logged in user

  1. Open Terminal.
  2. Run: sc_auth unpair -u $(whoami)

To turn off the pairing user interface in macOS

Use this option if you want to insert your YubiKey that contain certificates, and you do not want macOS Sierra to prompt you to pair it to your account.

  1. Open Terminal
  2. Run: sc_auth pairing_ui -s disable 

Note: the pairing UI can be turned back on at any point by running the command "sc_auth pairing_ui -s enable".

Removing the YubiKey PIV Manager Application

  • To remove YubiKey PIV Manager, drag the application to the Trash.

Frequently Asked Questions

  • Why do I have to enter only numeric PINs for the PIV Manager on macOS?

macOS supports only numeric PINs. While you can enter alphanumeric PINs in the tool, and can use them on other platforms, these PINs are not accepted on macOS.

  • Do I still need to authenticate and unlock my disk using my FileVault password using YubiKey on macOS?

Yes, you still need to authenticate and unlock your disk using your FileVault password. FileVault encrypts your Mac disk, but to gain access to your data you need to provide a password to decrypt the disk. The smart card implementation on macOS does not replace FileVault.

  • How do I log in to another macOS account, for example, if I have a multi-user system?

Once you remove the YubiKey from the Mac device, authentication defaults to username and password.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.