This document describes the use of the native Windows interface with the Yubico Minidriver to manage the PIN and PUK for the YubiKey PIV function. Users on Linux or macOS should generally use the YubiKey Manager. However, note that on macOS, the Terminal command sc_auth changepin can be used to change the PIN.

These settings are only possible with INGOS MFA, powered by YubiKey. The YubiKey is the hardware token that functions as a security device, enhancing authentication. INGOS MFA leverages the powerful features of the YubiKey to provide secure and reliable multi-factor authentication.

The YubiKey Minidriver blocks the PUK if it is set to the factory default value. Once the PUK is blocked, it cannot be used unless the PIV applet is reset. To use the PUK, it must first be set with the YubiKey Manager before the YubiKey Minidriver can be used to load or modify certificates on the YubiKey PIV Applet.

Use the following command in the YubiKey Manager to set a new PUK value:

• Install YubiKey Manager: Download the YubiKey Manager from the official Yubico website and install it on your computer.
• Deploy INGOS MFA powered by YubiKey SmartCard: Ensure that the INGOS MFA solution, powered by the YubiKey SmartCard, is properly set up.
• Select PIV Function: Open the YubiKey Manager and select the PIV function from the menu.
• Change PUK: Click on the "Change PUK" option.
• Use Default PUK: Check the "Use default PUK" box to select the default value 12345678.
• Confirm PUK: Enter the PUK twice to confirm and complete the change.

Enter the current and new PUK values in alphanumeric text. These values are not automatically saved and should be noted for future use.

Once a YubiKey is registered, the user’s PIN should be changed if the default value (123456) is still set. After logging into their account, the user can change the PIN of a YubiKey connected to their system as follows:

1. Press Ctrl + Alt + Delete to enter the lock screen.
2. Select Change a Password from the presented options.
3. Enter the current PIN and the new PIN.
4. Press Enter to commit the new PIN.

By default, the user PIN is blocked after three consecutive incorrect PIN entries. The PIN Unblock Code (PUK) is used to unblock the user PIN. If both the PIN and the PUK are blocked, the YubiKey must be reset, which deletes any loaded certificates and returns the YubiKey to its factory default state.

Steps to Unblock the User PIN via Windows login interface:

1. Insert the YubiKey and attempt to log in at the Windows login screen. When the PIN is blocked, the Change a Password screen is displayed.

2. Check the Unblock smart card checkbox.

3. For Windows 10 and higher, as well as Windows Server 2016 and newer:

   • Enter the PUK as normal text in the PIN Unblocking field.

4. Enter a new, properly formatted PIN in the New PIN and Confirm PIN fields, then press Enter.

5. Remove and then reinsert the YubiKey, and test the new PIN to verify you can access the account.