Yubico Forum

Does pressing the YubiKey button on YubiKey NEO cause the smart card to be removed momentarily?

If the policy on Windows is set to "lock workstation on smart card removal", pressing the YubiKey button causes workstation to lock. This is a huge caveat and practically makes all OTP functionality unusable. Tested on Windows 10 and Windows 7.

Letting the user remove smart card without locking the workstation is not possible due to policy reasons and I believe most smart card deployments use this policy.

Is there any workaround to use the OTP functionality on YubiKey NEO with smart card removal policy set?

Hello,

You are correct. No, there is no workaround if you want to use HID interface.

If you use TOTP or HOTP you can use the Yubico Authenticator that shouldn't eject the card
https://developers.yubico.com/yubioath-desktop/

Disappointing. Thanks for the link, will definitely check it out, I hope it is a feasible workaround.

Do you happen to know if there is any way to use other certificate slots than 9a for things like logon on Windows? I would like to use more than the slot 9a for logon to different AD realms. Where are the slots defined? Probably in the standard but it sounds painful to find & read it all so looking for some pointers here. Will do a separate thread if no reply.

Just as an FYI, the YubiKey 4 doesn't disconnect/reconnect like the NEO (it was designed as a monolithic firmware, so if you send an OTP it doesn't eject the smart card). It also allows certificates up to 3049 bytes (compared to 2025 bytes with the NEO, although generally not an issue unless you're using a larger private key for the CA, or your environment is very complex).

9a is for authentication, so no, you can't use other slots for domain authentication. It's possible on some other smart card manufacturers' offerings, but there is currently no vendor-specific minidriver for the YubiKey. making this impossible. You would essentially need middleware to map multiple certificates to 9a.

Thanks, useful information.

For the record, I am linking to viewtopic.php?f=25&t=2764 that implements the aforementioned minidriver, with support for multiple certificates.

With important drawbacks, see for example viewtopic.php?f=26&t=2739 , by the way!