PIV-enabled YubiKeys

The YubiKey 4 and 5 series along with the YubiKey NEO support the Personal Identity Verification (PIV) interface specified in NIST SP 800-73 document "Cryptographic Algorithms and Key Sizes for PIV". This enables you to perform RSA or ECC sign/decrypt operations using a private key stored on the smartcard, through common interfaces like PKCS#11.

For information about what you can do with a PIV-enabled YubiKey, please see the various sections in the menu on the left.

Technical details about the YubiKey PIV implementation

The default PIN code is 123456. The default PUK code is 12345678.

The default management key (9B) on YubiKeys with firmware up to version 5.7 is a 3DES key with value 010203040506070801020304050607080102030405060708.

For YubiKeys with firmware version 5.7 and later, the default management key uses AES-192 instead of 3DES, The management key uses the same default value (3DES and AES-192 keys are the same length).


We urge you to change these values before using the PIV functionality for any non-testing purpose. For details on what these keys do, see Admin access.

The following key slots exist:

  • 9A, 9C, 9D, 9E: RSA 1024, RSA 2048, ECC secp256r1, or secp384r1 keys (algorithms 06, 07, 11, 14 respectively). YubiKeys with firmware 5.7 and up also support RSA 3072, RSA 4096, Ed25519, and X25519 keys (algorithms 05, 16, E0, E1, respectively).

  • 9B: Triple-DES key (algorithm 03) for PIV management. YubiKeys with firmware 5.4 and up also support AES-128 (algorithm 08), AES-192 (algorithm 0A) and AES-256 (algorithm 0C) keys for PIV management.

The maximum size of stored objects is 2025/3052 bytes for current versions of YubiKey NEO and YubiKey 4 & 5, respectively.

Currently all functionality are available over both contact and contactless interfaces (contrary to what the specifications mandate).