About the YubiKey and Smart Card Capabilities

  • YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, and YubiKey NEO provide  Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.”
  • Performs RSA or ECC sign/decrypt operations using a private key stored on the smart card, through common interfaces such as PKCS#11 (Multi-platform) and a Smart Card Minidriver for Microsoft Windows.

General Information

  • Supports twelve key slots on the YubiKey 4 (max per cert size of 3,052 bytes)
  • Supports four key slots on the YubiKey NEO (max per cert size of 2,024 bytes)
  • Each slot is capable of holding an X.509 certificate, along with its accompanying private key.
  • Supports key sizes of RSA 2048 or ECC p-256, or ECC p-384.
  • All functionality is available over both contact and contactless (NEO only) interfaces.

YubiKey Smart Card Minidriver

  • YubiKey provides baseline functionality to authenticate as a PIV-compliant smart card out-of-the-box on Microsoft Windows Server 2008 R2 and later servers, and Microsoft Windows 7 and later clients.
  • The YubiKey Smart Card Minidriver provides additional smart functionality: certificate and PIN management via the native Windows user interface, support for ECC key algorithms, set touch policy for private key use.
  • Request a certificate from a Windows Certification Authority, generate a self-signed certificate, or import an existing certificate to the YubiKey. Generate a certificate based on the Server CA Template stored in the secure element on the device. Supports all Windows smart card behaviors, including lock on removal.
  • Identifies as a Microsoft USB CCID smart card reader and NIST SP 800-73 PIV smart card using the base Microsoft driver.
  • Identifies as a YubiKey Smart Card using YubiKey smart card minidriver.

Certificate Authority with YubiKey

  • Set up a Certificate Authority (CA) with subordinate CA private keys stored on YubiKey to sign end entity certificates
  • Supports up to RSA 2048 bit keys for the subordinate CAs and end entity certificates.

OS X Code Signing

  • Generate a certificate on the YubiKey, submit the certificate request to Apple, and use it for OS X code signing. Certificates will also be loaded to the Apple Keychain.
  • Use the certificates as usual with codesign, pkgbuild, productbuild, and productsign commands.

SSH with PIV and PKCS11

  • The YubiKey with PIV can work for public key authentication with OpenSSH through PKCS11. Primarily on Mac OS X or Linux systems with the OpenSC software installed.
  • Uses a self-signed cert loaded on the slot 9a of the PIV applet for SSH Authentication via OpenSC.

More Places to Use the YubiKey with Smart Card/PIV

Docker Hardware Signing

  • Enable DOCKER_CONTENT_TRUST=1; * feature currently available in Docker Experimental
  • Generate a Docker Content Trust root key for yourself.
  • The root key is generated inside the YubiKey, then generate keys for your repository, and push the signed image.
  • Users who have Docker Content Trust enabled can now securely download your content.

Centrify Identity Platform

  • Use YubiKeys with the Centrify Identity Platform to enable seamless two-factor authentication
  • Smart card PIV re-authentication for Windows privilege escalation
  • Active Directory-based login to Mac OS X and other platforms to meet NIST regulations

Versasec vSEC:CMS

  • Versasec vSEC:CMS users can quickly authenticate using their YubiKey as a smart card in PIV mode

CyberArk

  • CyberArk users can use YubiKey to unlock their enterprise password vault
  • Leverage the YubiKey with privileged account security policies and controls

EgoSecure Data Protection FDE

  • EgoSecure Data Protection FDE uses the YubiKey NEO for two-factor authentication
  • Encryption and decryption of data is completely transparent to authorized authenticated users
  • For enterprise installations, can be centrally deployed and managed using the EgoSecure management console

Learn More

Get the YubiKey Smart Card Minidriver

A Minidriver for the Windows OS that allows smart card management in the native Windows interface and adds support for ECC key algorithms. Download the YubiKey Smart Card Minidriver from our Downloads page.