PIV-enabled YubiKeys

The YubiKey 4 and 5 series along with the YubiKey NEO support the Personal Identity Verification (PIV) interface specified in NIST SP 800-73 document "Cryptographic Algorithms and Key Sizes for PIV". This enables you to perform RSA or ECC sign/decrypt operations using a private key stored on the smartcard, through common interfaces like PKCS#11.

For information about what you can do with a PIV-enabled YubiKey, please see the various sections in the menu on the left.

Technical details about the YubiKey PIV implementation

The default PIN code is 123456. The default PUK code is 12345678.

The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.


We urge you to change these values before using the PIV functionality for any non-testing purpose. For details on what these keys do, see Admin access.

The following key slots exist:

  • 9A, 9C, 9D, 9E: RSA 1024, RSA 2048, or ECC secp256r1 keys (algorithms 6, 7, 11 respectively).

  • 9B: Triple-DES key (algorithm 03) for PIV management. YubiKeys with firmware 5.4 and up also support AES-128 (algorithm 08), AES-192 (algorithm 0A) and AES-256 (algorithm 0C) keys for PIV management.

The maximum size of stored objects is 2025/3052 bytes for current versions of YubiKey NEO and YubiKey 4 & 5, respectively.

Currently all functionality are available over both contact and contactless interfaces (contrary to what the specifications mandate).