Many organizations purchase security keys like the YubiKey to streamline and secure access to various applications, but they can be used for much more.
The YubiKey in particular has the ability to be configured as the all-in-one answer to secure authentication – even for strict standards like PIV.
Do YubiKeys Have PIV-Compatible Smart Cards?
Yes, YubiKey 4 and 5 series keys can be configured with PIV certificates and PINs as per the NIST SP 800-73 specification set by the US Federal Government. Using a private key stored on the smart card, you can sign and decrypt using either RSA or ECC. YubiKeys have the added bonus of working with both contact and contactless interfaces, which can’t be said for most PIV devices.
YubiKey makes security keys that can plug into a wide array of ports (USB-B, USB-C, and Lightning Adaptor) as well as NFC options, so you can use a YubiKey for PIV authentication on any device.
YubiKey Smart Card Management System (SCMS) Options
While Yubico used to offer a dedicated YubiKey PIV Manager tool, the project has since been deprecated. Most of the functionality has been moved to the general purpose YubiKey Manager tool. There is another tool, the Yubico PIV Tool (which is still supported), that offers PIV management via command line.
Additionally, Yubico offers a Mini Smart Card Driver to augment the basic PIV capabilities of a default YubiKey with more features and integration to Windows infrastructure. The Mini Driver allows you to use Microsoft Windows Server 2008 R2 (or later versions) to manage PIV certificates and PINs, as well as using a Windows certificate authority to sign and issue certificates to your YubiKey.
In our capacity as an official Yubico Partner, SecureW2 has also developed a YubiKey Smart Card Management solution. It has all of the same functionalities as Yubico’s toolset, but it integrates into a PKI so that you can manage PIV certificates all from one place.
PIN and Management Key with SecureW2
Yubikey has two primary PINs that are required to use the Yubikey for authentication to a device and work maintenance work on the Yubikey itself. The four-digit PIN is used by the end user to authenticate every time they log in as proof or a signature of user authentication. The second one is a relatively long one called the Management Key and is required to perform specific tasks like enrollment or adding a new private key.
Because the Management Key is long and hard to memorize and is used only for limited tasks, it does not have the security feature, three times authentication attempt lockout. If anyone has access to the PIN there is a possibility that they will be able to crack the Management Key, which can be a potential security vulnerability.
SecureW2 uses a newer feature to mitigate this risk wherein the management key is randomized and stored in the Yubikey. To access the management key, you must authenticate using the PIN first.
For IT, it means that anytime they need to perform maintenance tasks like enrolling for a new certificate, they will ask the user for the PIN to authenticate before accessing the management key. This may add some steps for IT, but there is no difference from an end-user perspective. And since the PIN gets blocked after three unsuccessful attempts, this makes it a relatively safer option.
Of course, it’s always best practice to ask the end user to change their PIN immediately after the task is complete, as well as to choose a strong PIN.
Enhanced YubiKey PIV Attestation
YubiKey 4.3 and newer come equipped with an x.509 certificate that enables attestation for the PIV application. Attestation of certificates is a vital step in securing your authentication because it allows you to verify the origins of a certificate, ensuring that it’s a legitimate key pair.
The only trouble with the native implementation is that it requires you to use the PIV Tool command line to manually attest each certificate on each YubiKey. As you can imagine, this quickly becomes tedious.
SecureW2 can enhance your PIV attestation by integrating it into a PKI (either your existing PKI or our own managed option). You can replace the attestation certificate signed by the Yubico PIV certificate authority and replace it with your own, as well as scale the process for managing many YubiKeys simultaneously.
How to Use YubiKey for PIV Authentication
The actual act of using a YubiKey for PIV authentication is intuitive to anyone who has ever used another PIV card. It’s as simple as plugging it into the reader and tapping to authenticate, or in the case of NFC-enabled readers, tapping the key to the device.
What Applications Accept PIV Authentication?
- VPN
- Wi-Fi
- Web applications
- Desktop logon
- Document signing
- E-readers
How to Install and Manage PIV Certificates on YubiKey
It’s possible to use the command line interface to install or remove certificates from YubiKey, but it’s quite tedious. Using the YubiKey Manager provided by Yubico is significantly better since it has a GUI, but there is still the major shortcoming of requiring manual configuration for each key.
Neither of those options are feasible for YubiKey PIV management since PIV is rarely deployed at a scale less than enterprise-level. Any instance in which PIV authentication is used would require the management of hundreds or thousands of smart cards.
That’s why the best option for YubiKey PIV certificate management is SecureW2’s SCMS / CMS solution. Our certificate management system is able to deploy and manage certificates on any smart card, including security keys like the YubiKey. With our management portal, you can configure payloads to push to each device to automatically enroll them for a unique certificate.
Deploy PIN/PUK Complexity Requirements
Sometimes it goes overlooked, but a secure, unique PIN (and PUK!) is critical to using YubiKeys securely. Our YubiKey management solution allows you to set PIN/PUK complexity requirements for your organization.
Our smart card management system is supported by our world-class managed PKI, but we’re able to integrate with any existing network infrastructure you might already have. You can use our services a la carte, as many choose to do with our stellar Cloud RADIUS, or we can upgrade your whole network to WPA2-Enterprise with EAP-TLS authentication in just a few days.
Ready to use your YubiKeys for PIV authentication? We have affordable options for organizations of all sizes. Click here to see our pricing.