Suppose you want to use one of the PIV keys to sign or decrypt. The application running onyour host device will call one or more commands to perform the operation. Do you need toenter the PIN to perform the operation? Do you need to touch the YubiKey?
Suppose you want to to generate a new key pair, you need to authenticate the managementkey to perform that operation. But do you need to touch the YubiKey as well?
The PIN and touch policies answer those questions.
Related articles
PIV commands access control
The PIV PIN, PUK, and management key
What are the possible policies?
PIN policies
- Never: the PIN is never needed
- Always: the PIN needed for every use
- Once: the PIN is needed once per session
Touch policies
- Never: a touch is never needed
- Always: a touch is needed for every use
For YubiKeys 4.3 and later, there is one more possible policy
- Cached: a touch is not needed if the YubiKey had been touched in the last 15 seconds,otherwise a touch is needed
Warning
It is important to point out that setting the PIN policy to "never" reduces securitydramatically. This feature was added only because of customer demand for convenience.Yubico recommends setting the PIN policy to "always" or "once".
Note that if you do not specify a PIN or touch policy, there is a default. What thedefault is will be described below.
Note also that with management keys there is only a touch policy. The PIN is never neededto perform a management key operation (with the exception ofSet PIN Retries, but in this case the PIN is neededbecasue that is a command related to the PIN itself).
Older YubiKeys (prior to YubiKey 4)
The ability to use PIN and touch policies other than the default was not available priorto YubiKey 4. What this means is that when using a PIV key in a YubiKey, there was adefault policy only and no way to generate or import a key to use a different policy.
Default policy
The default policies are programmed into the YubiKey upon manufacture. All YubiKeys,before version 4 and after, are programmed with the same default policies. In the future,there could be a YubiKey with a different default policy. But for now, the default PIN andtouch policies are the following.
- Slot 9C PIN policy: Always (the PIN is required before each private key operation)
- PIN policy: Once (the PIN is required once per session to use a private key to sign,decrypt, or perform key agreement)
- Touch policy: Never (touch is never required to use any PIV key, private or management)
Note:
The default PIN policy for slot 9C is different from the default for the other slots.This is from the PIV standard. So remember that if you generate a key in slot 9C and setthe PIN policy to default, the actual PIN policy will be Always. It is a good idea tosimply always specify the PIN policy you want, Never or Once, rather than Default.
Note:
Touch is not a part of the PIV standard. That is why the first YubiKeys that supportedPIV did not have the option of touch when using a PIV key. This non-standard ability torequire touch was added to YubiKey in version 4 to augment security.
Changing the policy: management key (slot 9B)
If you want a touch policy different from the default for the management key, use theSet Management Key command. This will set the actualkey value as well as the touch policy. With this command you can enter the current keyalong with a different touch policy to change the policy only, or enter the same touchpolicy with a new key to change the key only, or change both key and policy.
Setting keys to a non-default policy (all slots other than 80, 81, 9B, F9)
If you want a policy different from the default for a private key, you must specify thatpolicy when the key is generated orimported. Once the key is on the YubiKey there is noway to change the policy.
Note that you can specify different policies for keys in different slots (if the YubiKeyhas the option of setting policies). For example, you can generate a new key in slot 9Athat has a PIN policy of "always", while a key imported into slot 86 has a PIN policy of"once".
It is important to point out that setting the PIN policy to "never" reduces securitydramatically. This feature was added only because of customer demand for convenience.Yubico recommends setting the PIN policy to "always" or "once".
Examples
Management key
You have a new YubiKey and one of the first things you do is change the management keyfrom the default. You call theSet Management Key command and provide the new keydata and specify the touch policy. Suppose you set the policy to "always".
Now whenever you call theAuthenticate management key command, theauthentication won't be complete until the YubiKey has been touched.
Private key
Suppose you generate a new key pair for slot 9C using theGenerate asymmetric key pair command. You setthe PIN policy to never and the touch policy to always. Now when you call theAuthenticate: sign command, you won't need tocombine it with PIN verification to make it work, but theYubiKey won't complete the signing process until the YubiKey has been touched.
Suppose you generate a new key pair for slot 9D. You set the PIN policy to once, and thetouch policy to never. Now when you first decrypt using that key in a session, you willneed to authenticate the PIN, but won't need to touch. The next time you decrypt in thesession, you will not need the PIN nor touch.
