1. Home
  2. PIV
  3. Guides
  4. Smart card-only authentication on macOS

    Smart card-only authentication on macOS

    macOS support mandatory use of a smart card, which disables all password-based authentication. This makes it possible to use a YubiKey with PIV support for all authentication on macOS, including computer login.

    Warning: Enforcing smart card may lock you out from your machine if done incorrectly. Make sure to read the recovery section here, and note that this enforcement applies to all users on the machine.

    Prerequisites

    • macOS High Sierra or later

    • an administrator account with a password configured

    • a YubiKey with the PIV application. Make sure you go through the device setup.

    • YubiKey Manager CLI installed

    Steps

    1. Generate certificates on your YubiKey to be paired with macOS.

      1. Generate key pairs for slot 9a and 9d, save public part to files. 

        ykman piv keys generate 9a --algorithm ECCP256 /tmp/9a.pub
ykman piv keys generate 9d --algorithm ECCP256 /tmp/9d.pub

      2. Generate self-signed certificates, anything can be used as subject. You may also set the expiration, default is one year.: 

        ykman piv certificates generate 9a --subject "YubiKey 5" /tmp/9a.pub
ykman piv certificates generate 9d --subject "YubiKey 5" /tmp/9d.pub

    2. Pair the the YubiKey with macOS

      1. The public key hash should now be listed as an unpaired identity. 

        sc_auth identities

      2. Use the listed hash to pair the YubiKey with your user. 

        sc_auth pair -h HASH -u USERNAME

      3. Verify that your user is paired: 

        sc_auth list

      You may now use your YubiKey for login, but your password still works as well.

    3. Install a configuration profile

      1. To enforce the use of smart card a configuration profile needs to be installed. A sample profile can be found here. Save the sample profile as sample.mobileconfig

      2. Install the profile by double-clicking on the profile and following the OS prompts.

    The YubiKey is now required for all authentication tasks on the system.

    Additional options

    Note that even though this guide uses self-signed certificates, any pair of certificates stored in slot 9a and 9d may be used for pairing. To also verify that the certificates used are trusted, configure the checkCertificateTrust option in the profile.

    The tokenRemovalAction may be added to the profile to automatically start the screensaver when the YubiKey is removed.

    More reading: