TLS Authentication

To authenticate to a website in the Safari browser via TLS with your YubiKey and Yubico Authenticator for iOS/iPadOS, ensure that you have fulfilled the listed prerequisites and then complete the following steps.

Prerequisites

You have:

• acquired an X.509 certificate and corresponding private key capable of authenticating to a desired website via the TLS protocol
• imported your certificate and key pair onto your YubiKey
• provisioned the public certificate to your iOS Keychain

Authenticate to a website on Safari

1. Open the Safari browser application on your iOS/iPadOS device.

2. Enter the URL of the website you’d like to authenticate to. The website must correspond to a public certificate stored in your iOS Keychain and its accompanying private key on your YubiKey.

3. If you have more than one certificate stored in your iOS Keychain or if you are browsing in private mode on Safari, you may be asked to confirm which certificate you’d like to use for authentication. Follow the prompts as necessary.

4. A pop-up from Yubico Authenticator will appear at the top of the screen. Click on the pop-up to begin the authentication handshake.

   

5. Insert your YubiKey into your iOS/iPadOS device or scan your NFC-enabled YubiKey when prompted.

   Note

   NFC wireless connections are natively supported on iOS but not on iPadOS (current iPads do not have built-in NFC readers). For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the Yubico Authenticator Functionality table.

6. Enter your PIV application PIN. For NFC connections, scan your key again when prompted.

   The default PIV application PIN is 123456. If you do not know your PIN and your YubiKey is managed by your organization, reach out to your IT admin for assistance.

   Caution

   You only have three attempts to enter the correct PIN before your PIN becomes blocked. Once blocked, your PIN must be unblocked with the PUK before you can perform any PIV operations that require PIN authentication. PIN unblocking can be done via the desktop version of Yubico Authenticator or the ykman CLI tool.

   Note

   If connected over USB-C on iOS or iPadOS, you must disable Yubico OTP generation in order to access your on-screen keyboard. For instructions and additional information, see Disable Yubico OTPs.

   

7. If you entered the correct PIN and authentication was successful, you will see a green check mark. Click on Safari in the upper left corner to return to your browser.

   

8. After returning to Safari, you will be logged into the website.