Setting Touch Policy

The YubiKey can be set to require a physical touch to confirm any cryptographic operations. This is an optional feature to increase security, ensuring that any authentication operation must be carried out in person. The YubiKey Smart Card Minidriver (YubiKey Minidriver) sets the touch policy when a key is first imported or generated. Once set for a key on the YubiKey, the policies cannot be changed.

Note

The touch policy setting can influence the user experience. Consider the potential impacts before adjusting this configuration.

Set Policy for Touch to Allow Private Key Use

Set the policy to determine if touching the YubiKey’s button is required to use the certificate’s private key. This is an additional protection against use of a private key without explicit user intent. The policy is stored in the YubiKey’s secure element during private key creation or import and cannot be changed. If a different policy is desired, a new certificate and private key must be created.

By default, the touch policy for keys imported/generated through the YubiKey Minidriver, is created with the touch policy default setting: disabled.

Touch Policy Options

To alter the policy behavior, configure the registry prior to setting up keys, either on the station enrolling the keys or pushed out to all machines using Group Policy Objects.

Key
HKLM\\Software\\Yubico\\ykmd
Value

NewKeyTouchPolicy (DWORD) - sets the touch policy on new keys generated/imported through the YubiKey Minidriver.  Accepted values are:

  • 1 <Never> - (No touch required) Default policy of never requiring a user touch.
  • 2 <Always> - Policy is set to require a user touch to confirm each and every cryptographic operation. Yubico does not recommend using this setting, as some Windows services, such as login, may require multiple cryptographic operations in a short time span.
  • 3 <Cached> - (for 15 seconds per touch) Policy is set to require physical touch once, then allow for cryptographic operations in a small time window afterwards. For using the physical touch option with Windows Smart Card Logon, this option is required.

Note

Due to OS limitations, there is no visual prompt on the screen when touch is required in this scenario. Microsoft’s minidriver specification that YubiKey Minidriver is based off of has no concept of touch requirement.

Change the default through a Windows registry entry and apply it to all new certificate and private key pairs added to the YubiKey. If different policies are required per certificate, change the registry entry prior to creating each certificate.