To unpair your PIV login from macOS Sierra (version 10.12), follow the procedures below. You can choose to delete all certificates that were installed on your YubiKey when you paired the device with macOS Sierra, or only the certificates that were added to be used for logging in to macOS Sierra. Also included are instructions so that macOS will no longer prompt you to pair your YubiKey or a smart card whenever the device(s) are detected.

Removing certificates from YubiKey

To reset the PIV applet on the YubiKey to completely remove the certificates and set the PIN to default

Use this procedure if you want to completely remove the certificates created when you installed the YubiKey PIV Manager to pair your YubiKey with macOS Sierra. If you want to keep your certificates, skip to the next procedure.

  1. Open the YubiKey PIV Manager.
  2. Click Manage device PINs.
  3. Click Change PIN.
  4. In the Current PIN field, enter a 6-8 character PIN that is not your PIN.
  5. In the New PIN and Repeat new PIN fields, enter a 6-8 character matching PIN (for example, 12345678).
  6. Click OK. An error appears with the message “PIN verification failed. 2 tries remaining.”
  7. Repeat steps 3-6 to change your PIN until you see the Manage device PINs window.
  8. If you previously provisioned your YubiKey, or if you chose to set a PUK and management key, then you will need to lock out the PUK. To do this:
    1. In the Manage Device PINs window, click Change PUK.
    2. Repeat steps 3-6 to change your PUK until you see the Manage device PINS window.
  9. Click Reset device.
  10. Click OK.

To delete the only the certificates created following the macOS Sierra login instructions

Use this procedure if you want to remove only the certificates created for macOS Sierra login.

  1. Open the YubiKey PIV Manager.
  2. Click Certificates.
  3. On the Authentication tab, click Delete certificate.
  4. On the Key Management tab, click Delete certificate.

Removing the smart card pairing from macOS Sierra (single YubiKey / smart card)

To remove a single YubiKey or smart card from macOS Sierra login

  1. Open Terminal.
  2. Run: sc_auth list [username] (for example, if your account name is John, run “sc_auth list john”).
  3. Highlight and copy (Command+C) the hash listed for your user.
  4. Run: sc_auth unpair -h [hash]

To remove all paired YubiKeys and smart cards for a single user

  1. Open Terminal.
  2. Run: sc_auth unpair [username] (for example, if your account name is John, run “sc_auth unpair john”).

To turn off the pairing user interface in macOS Sierra

Use this option if you want to be able to insert your YubiKey or other smart cards that contain certificates, and you do not want macOS Sierra to prompt you to pair your account.

  1. Open Terminal
  2. Run: sc_auth pairing_ui -s disable (the pairing UI can be turned back on at any point by running the command sc_auth pairing_ui -s enable).

Removing the YubiKey PIV Manager Application

  • To remove YubiKey PIV Manager, drag the application to the Trash.
in How To