Yubico Forum
https://forum.yubico.com/

Inconsistencies with PIV logon and macOS Sierra
https://forum.yubico.com/viewtopic.php?f=23&t=2471
Page 1 of 1

Author:  Yogui [ Sat Oct 29, 2016 9:23 am ]
Post subject:  Inconsistencies with PIV logon and macOS Sierra

Hi,

I am having issues with my YubiKey 4 Nano with macOS Sierra logon in PIV mode.

On first logon after a reboot, the password box clearly asks for my Yubikey PIN, so that works. Although, as stated elsewhere, macOS does not provide smartcards with a way to completely replace the password, so I am usually asked for my password immediately after logon in order to unlock Vault or something; well that can't be helped, and it is not my issue.

The issue is that after closing the laptop or letting it go to sleep, the password input in the logon screen consistently asks for the password, never the PIN. However, half the time it expects the actual password (in these cases the PIN doesn't work), and half the time the password doesn't work but the PIN does. I haven't figured out which happens when or why. It's very confusing.

Can you please help me diagnose what I did wrong?

Best regards,

Author:  Brisbanite [ Tue Jan 03, 2017 10:21 pm ]
Post subject:  Re: Inconsistencies with PIV logon and macOS Sierra

I am having the same issue. I've tried creating new certificates, and re-enrolling. It allowed me to unlock my computer on that session only, but not since. Strangely, I've found that if I select "change users", and attempt to unlock my computer from that screen, I have no problems doing so using the Yubikey + PIN. The certificates are enrolled in my keychain and marked "trusted for this account", and acknowledged by my computer when inserted.

From what I can tell, the issue is on the side of MacOS, not Yubikey or Yubico software, but the Mac forums seem to have no reference to it. Does anyone have an idea how to resolve these issues?

Author:  Yogui [ Fri Jan 06, 2017 9:25 pm ]
Post subject:  Re: Inconsistencies with PIV logon and macOS Sierra

I since stopped using the Yubikey for easy login on the Mac, since half the time I ended up losing more time. We're talking seconds here, but still.
However, the issue you're also seeing keeps happening (I need to switch back to the user selection screen first, or the password doesn't work), which would tend to support what you're saying about this being more Apple than Yubico. This issue was "sometimes", but it is now "every time".

I consider myself lucky to already have had other users on this Mac, or I have no idea if I'd have been able to enter my password ever again.

I tried to talk to Apple about this but they're deferring to the third party entirely (meaning Yubico).

So... Is there anyone here who can help me/us get to the bottom of this issue, so we have some ground when we do go back to Apple?

Thanks,

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/