PIV provides two different levels of access. One is the end-user (cardholder) level, which is protected by a PIN. This level allows normal day-to-day usage of the PIV functionality. The second is an administrator level, which is protected by a management key. This level allows provisioning of credentials.
End-user functionality is guarded by a PIN, which needs to be provided by the user to perform private key operations. The PIN can be up to 8 characters long, and supports any type of alphanumeric characters. If the PIN is entered incorrectly 3 times consecutively, the PIN will be blocked and unable to be used. If the PIN is lost or blocked it can be reset using a PUK. The PUK has the same restrictions as the PIN. If both the PIN and the PUK have been blocked they can be reset using a specific command. This will reset the PIN, PUK and Management Key to their default values, as well as delete any stored certificates and keys. The default values for the PIN and PUK are 123456 and 12345678, respectively.
Administrative/Management functionality is guarded by a 24 byte management key. This key is required for administrative tasks, such as generating/importing keys and certificate into the PIV slots. The default value of the Management Key for the YubiKey is:
010203040506070801020304050607080102030405060708
The table below contains a list of possible operations and their requirements in terms of Management key (MGM), PIN and PUK.
| Action | Requires MGM | Requires PIN | Requires PUK | Notes |
|---|---|---|---|---|
Generate key pair |
x |
|||
Change MGM |
x |
Requires a new MGM |
||
Change retry counters |
x |
x |
Yubico extension. Resets PIN and PUK to defaults |
|
Import private key |
x |
|||
Import certificate |
x |
|||
Set CHUID |
x |
|||
Reset card |
Requires both PIN and PUK to be blocked |
|||
Verify PIN |
x |
|||
Sign data |
x |
|||
Decrypt data |
x |
|||
Change PIN |
x |
Requires a new PIN |
||
Change PUK |
x |
Requires a new PUK |
||
Reset PIN (unblock) |
x |
Requires a new PIN |