10.4 Supported features for Yubico smart cards
See section 2.1, Supported features for a description of the features supported by smart cards.
10.4.1 Features
The following MyID features are smart card or middleware specific. The table below indicates which smart card-dependent features are available in MyID with Yubico smart cards.
|
|
Features |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Smart card |
||||||||||
|
YubiKey 4 |
Y |
P |
|
|
P |
P |
|
|
|
Y |
|
YubiKey 5 |
Y |
P |
|
|
P |
P |
|
|
|
Y |
|
YubiKey FIPS |
Y |
P |
|
|
P |
P |
|
|
|
Y |
|
YubiKey SC |
Y |
P |
Y |
|
P |
P |
|
|
|
Y |
|
YubiKey SC FIPS |
Y |
P |
Y |
|
P |
P |
|
|
|
Y |
|
YubiKey v57 |
Y |
P |
Y |
|
P |
P |
|
|
|
Y |
|
YubiKey v57 FIPS |
Y |
P |
Y |
|
P |
P |
|
|
|
Y |
Key:
- Y – Fully supported.
- P – Partially supported. See below for details.
- blank – Not supported.
10.4.1.1 PIN management
The following Yubico cards support a limited range of PIN management features:
|
|
Smart card |
|
|---|---|---|
|
Feature |
YubiKey 4 |
YubiKey 5 |
|
Lock the PIN after issuance. |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
Y |
|
Unlock the PIN using the SOPIN. |
Y |
Y |
|
Provide a remote unlock code. |
Y |
Y |
|
Reset the PIN at cancellation. |
Y |
Y |
|
Configure on-card PIN policy. |
P |
P |
|
|
Smart card |
||
|---|---|---|---|
|
Feature |
YubiKey FIPS |
YubiKey SC |
YubiKey SC FIPS |
|
Lock the PIN after issuance. |
Y |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
Y |
Y |
|
Unlock the PIN using the SOPIN. |
Y |
Y |
Y |
|
Provide a remote unlock code. |
Y |
Y |
Y |
|
Reset the PIN at cancellation. |
Y |
Y |
Y |
|
Configure on-card PIN policy. |
P |
P |
P |
|
|
Smart card |
|
|---|---|---|
|
Feature |
YubiKey v57 |
YubiKey v57 FIPS |
|
Lock the PIN after issuance. |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
Y |
|
Unlock the PIN using the SOPIN. |
Y |
Y |
|
Provide a remote unlock code. |
Y |
Y |
|
Reset the PIN at cancellation. |
Y |
Y |
|
Configure on-card PIN policy. |
P |
P |
Key:
- Y – Fully supported.
- blank – Not supported.
- P – Partially supported. For details of supported on-card PIN policy features, see section 10.6.2, PIN policy settings.
10.4.1.2 PKI – RSA
The following Yubico smart cards support a limited range of PKI – RSA features:
|
|
Smart card |
|
|---|---|---|
|
Feature |
YubiKey 4 |
YubiKey 5 |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
Write 1024 bit certificates. |
Y |
Y |
|
Write 2048 bit certificates. |
Y |
Y |
|
Write 3072 bit certificates. |
|
|
|
Write 4096 bit certificates. |
|
|
|
Remove certificates. |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
|
|
Smart card |
||
|---|---|---|---|
|
Feature |
YubiKey FIPS |
YubiKey SC |
YubiKey SC FIPS |
|
Generate a private key for a certificate request. |
Y |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
Y |
|
Write 1024 bit certificates. |
|
|
|
|
Write 2048 bit certificates. |
Y |
Y |
Y |
|
Write 3072 bit certificates. |
|
|
|
|
Write 4096 bit certificates. |
|
|
|
|
Remove certificates. |
Y |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
YubiKey v57 |
YubiKey v57 FIPS |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
Write 1024 bit certificates. |
|
|
|
Write 2048 bit certificates. |
Y |
Y |
|
Write 3072 bit certificates. |
Y |
Y |
|
Write 4096 bit certificates. |
Y |
Y |
|
Remove certificates. |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
Key:
- Y – Fully supported.
- blank – Not supported.
10.4.1.3 PKI – ECC
The following Yubico smart cards support a limited range of PKI – ECC features:
|
|
Smart card |
|
|---|---|---|
|
Feature |
YubiKey 4 |
YubiKey 5 |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
ECC NIST P256 Curve |
Y |
Y |
|
ECC NIST P384 Curve |
Y |
Y |
|
ECC NIST P521 Curve |
|
|
|
Remove certificates. |
Y |
Y |
|
Archive certificates. |
|
|
|
Enumerate certificates on the card. |
|
|
|
|
Smart card |
||
|---|---|---|---|
|
Feature |
YubiKey FIPS |
YubiKey SC |
YubiKey SC FIPS |
|
Generate a private key for a certificate request. |
Y |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
Y |
|
ECC NIST P256 Curve |
Y |
Y |
Y |
|
ECC NIST P384 Curve |
Y |
Y |
Y |
|
ECC NIST P521 Curve |
|
|
|
|
Remove certificates. |
Y |
Y |
Y |
|
Archive certificates. |
|
|
|
|
Enumerate certificates on the card. |
|
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
YubiKey v57 |
YubiKey v57 FIPS |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
ECC NIST P256 Curve |
Y |
Y |
|
ECC NIST P384 Curve |
Y |
Y |
|
ECC NIST P521 Curve |
|
|
|
Remove certificates. |
Y |
Y |
|
Archive certificates. |
|
|
|
Enumerate certificates on the card. |
|
|
Key:
- Y – Fully supported.
- blank – Not supported.