Yubikey PIN Requirement and FAQ

If you have recently attempted to sign into a JMU-hosted system behind Okta using your Yubikey on a Windows device, you may have been asked to set up a 4-digit PIN (optionally more). This is due to recent Windows 11 updates, and not directly tied to Okta FastPass or its implementation.

Why do I need a PIN?

By design, all Yubikeys are FIDO2 enabled which allow the option for a PIN to be created. Services and providers can enforce the requirement of a PIN once the Yubikey is used, depending on the use-case and level of security. As Windows continues to enhance their security practices, it is possible that your Windows device will request a PIN be added to a Yubikey to match it's requirements.

Will it prompt me every time to use a PIN?

Once a PIN has been set to a Yubikey, yes. The PIN will be required to be used each time you use your Yubikey, regardless of the device or system you are attempting to use it on.

Will I be asked to set up a PIN on my Apple device?

No. You will be asked to set up a PIN only on a Windows 11 device. However, if your Yubikey already has a PIN, you will be required to use it across Windows and Apple devices.

I forgot my PIN, What do I do?

Unfortunately, JMU IT cannot see or reset a PIN on a Yubikey remotely. You are able to reset the Yubikey PIN yourself however, by folling the steps below:

On Windows Devices:

1. Open the Settings application via the Start menu (gear icon).
2. Go to Accounts > Sign-in options > Security Key, and click Manage.
3. Follow the prompts in the window that appears, and then click the Reset button.
4. Follow the prompts on-screen to complete resetting your YubiKey.

On Apple Devices:

1. Open Google Chrome, and navigate to:
   • chrome://settings/securityKeys 
     • Or, you can instead open Chrome's Settings, and then navigate to:
   • Privacy and security > Privacy > Manage security keys.
2. Click Reset your security key, and follow the prompts to complete the process.

Note: When resetting the Yubikey PIN, you will be removing the Yubikey from your Okta account as well. If you do not have an secondary authenticator on your account, you will need to reach out to the IT Help Desk to assist in re-enrolling your Yubikey. Additional information on setting back up your Yubikey can be found here

Additional information regarding the Yubikey PIN can be found here via Yubico.

• Why do I need a PIN on my Yubikey
• How do I remove my PIN
• Why do I need a PIN now