How to use a YubiKey to log into Windows and macOS (2024)

Whether you've got pesky roommates, or just want an added layer of security, adding a YubiKey requirement to log in to your home PC or laptop can be a great way to improve your security. This will require that your YubiKey be plugged in each time you log in to your computer. This is especially useful if you're also using a YubiKey for your password manager or online accounts, since you'll likely be plugging it in regardless then. Whether you're looking for added security or just think having a hardware token to log in to your devices is cool, here's how to set up YubiKey login on macOS and Windows.

How to use your YubiKey to log in to Windows

Windows supports logging in with your YubiKey, but again there are some things to know and caveats to be aware of. Only some YubiKeys are supported (no biometric support here), and you'll only be able to authenticate to a local Windows account. There are some pros and cons to tying your Microsoft account to your Windows install, and Microsoft has certainly been pushing users to adopt online accounts over the last few years. Adding your YubiKey won't disable the ability to simply sign in with other biometric measures, like Windows Hello.

If you've got an online account already, it's relatively easy to convert it back to a local account. You may lose access to some features doing this though. If you have other accounts on the PC that are tied to Microsoft accounts, these shouldn't be affected.

Other caveats

You should also note that Yubico login (the software we'll be using) is only available on x86 machines, so there's no support for Windows on ARM. Unless you happen to fancy trying to build Yubico Login from source yourself. This parameter will hopefully change in the future though. Additionally, accounts managed by Entra or Active Directory won't work here, so don't try this on a school or work PC without speaking to an administrator first.

Another caveat to be aware of is that remote desktop login won't work with a YubiKey, so we wouldn't recommend doing this if you regularly remote into your PC.

Pre-requisites

You'll need these prepared before starting the process on your PC:

• A Windows 10/11 PC - Windows 7 may be supported, but the documentation doesn't clarify this
• A compatible YubiKey - you can check compatibility here
• An administrator account on your computer

Setup Windows login via YubiKey

Follow these steps to establish login with your YubiKey:

1. Verify that you are not logged in with a Microsoft Account.

   

2. Take note of your username. It is possible to partly change your username on Windows, so it's important to take note of this properly. Open a command prompt by pressing WIN+R and the following:

   whoami

3. The response you'll get back will be in the format DESKTOP-ABCDE\username. Your username is the first part. In the screenshot below, my username is elliot.

   

4. Download and install the Yubico installer from Yubico's website. You most likely need the 64 bit version. Run the installer and keep the default settings.

   

   Source: Yubico

5. Once set up, you'll be prompted to restart your computer. Ensure you have noted down your local account username and password, then reboot your computer.

6. A login screen will prompt you for Yubico Login - login with your username and password as normal.

   

   Source: Yubico

7. Once logged on, open the start menu and locate Login Configuration.

   

8. You should see this configuration menu. Select Advanced Configuration.

   

9. On the next screen, de-select Create backup device for each user. If you have multiple YubiKeys, you can leave this checked though. If that is the case, you'll be asked to flash one YubiKey, then remove it and flash the second one.

   

10. You'll be asked to select which users to provision your YubiKey for. This is useful if you have multiple accounts (i.e. as a systems administrator for a shared machine), and want to provision multiple keys at once. For our purposes, tick only your Username.

    

11. You'll be asked to insert your YubiKey.

    

12. Once inserted and recognized, you'll see a confirmation screen with details about the key. Press continue.

    

13. Your YubiKey will be flashed, and then you'll be asked to remove your device.

    

14. You'll be given your recovery code. It's very important to retain this information somewhere else safe that will be accessible without having access to your PC. Once you've closed this window, you won't be able to access your recovery code again.

    

15. Once you've saved your key, hit Next followed by Finish.

Once finished, press WIN+L to lock your PC. You'll be presented with the same login screen you encountered earlier. You'll need to enter your username and password, but this time you'll also be required to have your YubiKey inserted. If you lose your YubiKey, you can use your recovery code and the "Lost your YubiKey" option on the home screen to recover your account.

Remove YubiKey Login from Windows

This one is poorly documented by Yubico, so I will give some thanks to this Reddit thread for providing clarity here. In order to remove a YubiKey from your account, follow these steps:

1. Log in to an administrator account. Note that removing YubiKey login will remove the requirement for all configured users.
2. Uninstall Yubico Login using Windows' inbuilt add/remove program feature. You'll be asked to confirm, a restart is required after the software is uninstalled, so you can choose whether to restart now or later. Press Ok to the first dialog, then no to the second, indicating that you plan to manually restart your computer later.

   

3. Once uninstalled, open your registry editor by opening the start menu and searching for regedit.

   

4. In the registry editor, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Yubico and delete the entire Yubico key.

   

5. Restart your computer.

Once your PC has rebooted and you return to the login screen, you should see the normal Windows login options.

How to use your YubiKey to log in to macOS

macOS also supports logging in with your YubiKey via support for PIV smart cards, but it does come with some caveats. Setting up a PIV YubiKey is relatively easy, but we don't recommend using it for exclusive authentication. You'll likely need to keep a password set, which you could set to something very long and use effectively as a recovery key.

You'll have the option on your Mac login screen to enter either your password or PIN. If you've got touchID enabled, you'll also have that option.

Exclusive Access

Setting up exclusive authentication on macOS for Apple Silicon requires the use of smart cards to unlock FileVault (disk encryption). When shut down, your Mac's disk is secured with the last smart card accessible, which means that only this smart card can later unlock the disk. This means that if you were to lose your YubiKey with your Mac locked, it would be impossible to then unlock your disk. For this reason, we'd recommend avoiding exclusive access via your YubiKey.

PIV/PUK customization

Accessing your Mac via YubiKey relies on PIV, or Personal Identity Verification. This is a technology that is supported by most YubiKeys and can be used for a variety of types of authentication. PIV comes with some settings to control access to its APIs. These settings are well explained here, and changing them is detailed in Yubico's documentation. We won't cover how to change your PUK and Management Key here, but we will change your PIN. This restricts access to the PIV APIs on your YubiKey. If you don't have a specific use case to change these values, follow the below instructions as-is. Changing the other values will not normally be necessary.

Setup macOS YubiKey access

To set up YubiKey authentication on your macOS machine, you'll need the following things:

• A smart card supporting YubiKey - check out support here
• Admin access on a macOS machine running High Sierra or later
• YubiKey Manager already installed on your Mac

Follow these steps to set up basic YubiKey authorization for your macOS machine:

1. Open up YubiKey Manager with your YubiKey inserted.

   

2. Open Applications and select PIV.

   

3. Select Configure Pins.

   

4. Select Change Pins.

   

5. If you have previously set a PIV pin on your YubiKey, enter it here. If you have not, tick Use Default next to the current pin box, and enter a new pin of your choice.

   

6. Once a pin is set, return to Applications > PIV.
7. Press Setup for macOS in the top right corner of the window.

   

8. When prompted for the management key, press Use Default.

   

9. When prompted for your PIN, enter the PIN you set in Step 5.

   

10. You'll then be asked to remove and reinsert your YubiKey. Once your YubiKey is inserted, you'll see a notification for SmartCard Pairing. Hover over this notification and select Pair.

    

11. Enter your administrator password when prompted.

    

12. Enter the PIN set in Step 5 when prompted.

    

13. Enter your keychain password when prompted.

    

14. Your YubiKey should now be configured as a smart card for macOS. Lock your screen with CMD + CTRL + Q. You should see an option to Enter Pin alongside your normal TouchID.

You'll notice that if you remove your YubiKey, your Mac reverts back to default password authentication. We'd recommend you treat your regular account password like a recovery key: set a random very long string and keep it somewhere safe with other recovery keys. This affords the same physical-login process, while also providing a backup if you do lose your YubiKey. Again, note that Touch ID authentication isn't disabled by the smart card requirement, so it will work as usual to unlock your MacBook.

Remove YubiKey authentication from macOS

To disable YubiKey authentication on your Mac, you'll need to remove the smart card requirement for your user. To do this, open the macOS Terminal, and run the following, replacing <username> with the relevant user name.

sc_auth unpair -u <username> 

You can then lock your Mac again with CTRL+CMD+Q, and you should see password authentication (and optionally Touch ID) as the only authentication method available.

Another option would be to delete your PIV certificates from your YubiKey itself. You can do this with the YubiKey manager, under Applications > PIV > Certificates, and then by pressing Delete Certificates in the Authentication tab.

This is just one great use for YubiKeys

YubiKeys have more than proven their worth over the last decade, and are becoming more useful all the time. Even in an age where passkeys are gaining traction, there are still plenty of great uses for hardware tokens. On Windows especially, having a USB token to force login is a great advantage. Using a YubiKey on macOS has its downsides, but still offers physical security and comfort on a platform that's known to be highly-secure. Just be careful to save your backup tokens in any case!