Yubico Forum

Preface: on YubiKey NEO it works like charm:


On YubiKey 4 I'm getting a different result:


Does it mean that the command to set retry counters on YubiKey 4 is not f2? What is it then?

Help would be appreciated!

That feature is not available on the YubiKey 4

Wha...? Are you saying that on YubiKey 4 pin-retries is hard-coded to be "three times"?!

That's by specification.

Open PGP

http://g10code.com/docs/openpgp-card-3.0.pdf

Thank you for the reference. I notice that none of the OpenPGP specs (v1.0, 2.0, 3.0) actually include setting the retry counter to a specific value. They only say that at the reset it should return to the default.

However I find it very convenient and user-friendly that NEO extends this and allows me to set it to (say) 5 instead of 3, because (a) this is the policy where I employ it, and (b) it is perfectly convenient for me. So I'm very much disappointed that Yubico decided to get "strict" with Yubikey 4. There doesn't seem to be a reason (nor a need) for it.

Update
It is understandable why the standard may want to preclude users from being able to change the retry counter. Preventing the organizations that own and deploy such devices from setting whatever policy on the number of retries they see fit, seems very wrong - and I've yet to see a standard explicitly demanding this.

I agree with Uriel. With the Admin PIN this value should be able to be modified. 3 is just too risky for a password of over 30 characters.

Also is there anything to prevent malware from coming along and locking the pins?

It would be really nice if there was a way for the counter to reset with every power-off. This is the way encrypted WD My Passport drives work, and seems like it would make a brute-force attack pretty much impossible.

We hear you guys and we thought about bringing back this feature for YK4. However, since this feature might be included in the future spec of OpenPGP, we may decide to wait to implement this conforming to the standard.

In short, we are currently waiting observing developments which will decide how we will bring this back.

Thanks Tom.

I've decided instead of generating my authentication key on the Yubikey to generate it off-key so I can create a backup just in case.

I'll keep an eye out to see how the new spec, or your implementation, will handle locked keys.