Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Yubikey Security Keys - PIN Code and general usage?

B

bsmr

macrumors 65816
Original poster
Oct 4, 2005
1,181
316
Germany
Hi,

I just bought 2 of those Keys and now want to use them with my iPhone and Mac.

Looked some videos and read Apples Website about it.

What I don't understand:
- is it better to install Yubikey App on the iPhone first and setup a 'PIN-Code' for the Keys and then integrate within Apple devices
or
- don't use this app and don't use PIN Codes for those Yubikeys and simply integrate it within Apple devices?

And what does happen if I setup those Yubikey PINs after integrating it with Apple devices?
 
A PIN adds a bit to the security but isn't mandatory. It's good practice to have one though.
You can set up a PIN either before or after pairing your key with your account. It doesn't matter. If there is a PIN, then you may be asked to type it when you try to use the key for login. If there isn't, then you won't. The PIN is a feature of the Yubikey itself; it's the Yubikey that requests it, not the OS.
 
Last edited:
Teoretically different credentials should be more secure, but in practice it may not matter too much. There's a fine balance between security and usability; beyond a certain point returns start diminishing. I, for one, use the same PIN for all my Yubikeys. It's easier for me to remember, and it's strong enough not to stand a chance of being inferred or guessed by anybody. Making my life harder by having to remember several PINs, one for each Yubikey, would bring too little extra security in return to be worth the trouble.
 
Last edited:
  • Like
Reactions: bsmr
Thanks for your feedback.
So maybe same PIN and other PUK / Management Key credentials is fully ok.

Or going with the same for both is also ok if I understand you correctly?!
 
... and one more Point. It also should be the same FIDO2 PIN so it's easier to remember. Isn't it the FIDO2 PIN which I do need most of the time?

Sorry for asking all this as I just bought those keys and Yubico Website is quite complicated.
 
If you get this to work on the iPhone, please let me know what adapter you purchased. I bought one off Amazon that didn't work.
 
southerndoc said:
If you get this to work on the iPhone, please let me know what adapter you purchased. I bought one off Amazon that didn't work.
Click to expand...
I have the following key and you don't need an adapter.

www.yubico.com

USB-C & Lightning YubiKey 5Ci Security Key | Yubico

Protect yourself from account takeovers with the efficient, multi-protocol YubiKey 5Ci. Go passwordless with our USB-C and Lightning dual ended security key.
www.yubico.com www.yubico.com
 
Apple_Robert said:
I have the following key and you don't need an adapter.

www.yubico.com

USB-C & Lightning YubiKey 5Ci Security Key | Yubico

Protect yourself from account takeovers with the efficient, multi-protocol YubiKey 5Ci. Go passwordless with our USB-C and Lightning dual ended security key.
www.yubico.com www.yubico.com
Click to expand...
People were talking about PIN codes so I assumed they were talking about the YubiKey Bio series. That's what I'm trying to get to work with an iPhone.
 
bsmr said:
Thanks for your feedback.
So maybe same PIN and other PUK / Management Key credentials is fully ok.

Or going with the same for both is also ok if I understand you correctly?!
Click to expand...
I meant using the same codes for all Yubikeys. I haven't set a PUK, because I'm not using the PIV interface, and the FIDO interface requires just a PIN, not a PUK. But if I were to use a PUK, then I would make it different to the PIN and perhaps longer, and would store it in a safe place rather than try to remember it.
 
Last edited:
bsmr said:
... and one more Point. It also should be the same FIDO2 PIN so it's easier to remember. Isn't it the FIDO2 PIN which I do need most of the time?

Sorry for asking all this as I just bought those keys and Yubico Website is quite complicated.
Click to expand...
No problem, that's what the forum is for. And indeed, the Yubico website is confusing to a newbie.
The FIDO2 interface uses just an optional PIN, there's no PUK as far as I know. Other interfaces, like PIV, have both a PIN and a PUK, but what we're using in the context of iCloud 2FA is the FIDO2 interface.
 
Last edited:
  • Like
Reactions: bsmr
Hi.
Concerning the FIDO2 PINs I do have some issues. I changed the FIDO2 PIN within Yubikey Manager. Everything fine so far and it works with the new PIN.

When I register services (Apple, Google,...) with my new Yubikey it asks for that PIN to register the Keys.

BUT: When I login to this services and they ask for my Key the do 'NOT' ask for the FIDO2 PIN again.

What am I doing wrong? I thought, it will always ask for the FIDO2 PIN?
 
bsmr said:
What am I doing wrong? I thought, it will always ask for the FIDO2 PIN?
Click to expand...
It’s up the the service to ask for the PIN or not. For these services you are already using two factors: your password and the physical key.

The FIDO2 PIN in those cases should best be viewed as security theatre. I myself have chosen not to use the FIDO2 PIN. Enabling the PIN only makes it more cumbersome with minimal real security benefits. I mean, think about it. If someone manages to steal your password AND your key, in what scenario would they not just use the $5/€4.39 wrench to force you to tell the PIN?

But I sense you are the kind of user that wants to feel something is protecting you, without having to think about real scenarios and attack vectors. If that is the case, leave the PIN on.
 
Will FIDO2 stop working if you don't set a FIDO2 PIN, I mean will it revert to using other protocols other than FIDO2?

I did set FIDO2 PIN and it's starting to annoy me because every website or app I registered with the key kept asking for FIDO2 PIN everytime I login.


I really don't want to enter any PIN every time I login.
 
bsmr said:
Hi,

I just bought 2 of those Keys and now want to use them with my iPhone and Mac.

Looked some videos and read Apples Website about it.

What I don't understand:
- is it better to install Yubikey App on the iPhone first and setup a 'PIN-Code' for the Keys and then integrate within Apple devices
or
- don't use this app and don't use PIN Codes for those Yubikeys and simply integrate it within Apple devices?

And what does happen if I setup those Yubikey PINs after integrating it with Apple devices?
Click to expand...
Pin codes are primarily there to ensure the key can't be used by someone else if found or stolen and appear to always be required when using passwordless authentication (however if you token has a fingerprint reader then this option can be used instead of the PIN).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back