Yubikey PIV: Enforce PIN complexity

Question

im trying to enforce PIN complexity for PIV certificates. The PIV Manager (which as i understand is no longer under developement) had an option to enforce this, but the YubiKey Manger does not have such an option afaik.

So im forced to use the PIV Manager, if want to enforce this. The "interesting" part is, when i enforce the PIN complexity via PIV Manager, im still able to set "11111111" via the YubiKey Manager.

This means the YubiKeyMangager straight ignores the settings, set via PIV Manager. Also this seems like a security risk if i can just overwrite the pin, ignoring the complexity enforcement.

Is there any way to enforce the PIN complexity via the YUbiKey Mangager, or can i ensure that it does not ignore the settings set via PIV Manager?

Answer 1

PIV PIN Complexity on the YubiKey is not natively supported on the firmware. The YubiKey stores the PIV PIN internally as a byte string, but cannot translate it to readable text and apply complexity rules when the PIN is being written to the YubiKey.

However, the YubiKey can easily check the length of the PIN byte string on write, and reject PINs which do not fall into the allowable length defined by the NIST PIV specifications.

The NIS PIV specifications do not set complexity requirements for PIN values beyond length, so the implementation on the YubiKey is compliant with their guidance.

Some tools used for setting the PIV PIN on the YubiKey have internal checks on complexity, but these are executed prior to the PIN being written to the YubiKey hardware. In these cases, the complexity is only enforced at the tool level, and can be bypassed (as noted) by other applications writing a new PIN to a YubiKey.