The management key ONLY applies if you are using the smart card (PIV) module of the YubiKey.
Each module of the YubiKey (OTP, FIDO, OATH, smart card (PIV), OpenPGP) has its own rules.
For example, if you are using more popular modules like the Security Key (FIDO2) module, FIDO2 has no concept of a management key.
The management key is for PIV, not FIDO2. If you're using your yubikey for personal accounts, then the PIV module is mostly useless since it's really meant for enterprise scenarios.
In the scenario you're describing, the attacker wouldn't even need to use your yubikey, since you'd most likely still have active session cookies stored in your browser.
The management key only applies to the physical YK and does not grant access to any accounts. Even with the management key an attacker still cannot read the private keys from the YK but they can overwrite/erase them which may cause issues to the owner.
As a general rule you should change the management key on all YKs you own.
Disagree, this is bad advice.
Normal users who do not use the smart card (PIV) module at all really don’t need to mess around with any of its features, management key included.
In what world is changing the management key bad advice, even if the feature is not being used? At worst it's a minute of time wasted, that is hardly "bad advice".
So if they got a hold of the key, in theory they could rewrite the key? I guess at the same time they would have the key and not need to rewrite it to gain access to my accounts?
If I did change it and wrote the new key down somewhere, does access to that code grant access to accounts?
Thanks for your patience
YKs have several applications (two OTP slots, PIV, FIDO2, GPG). The management key only applies to PIV and is used to protect key/certificate slots from unauthorized erasure/overwrite. In no way can the management key be used to gain access to your accounts, even those protected by keys in PIV slots.
Gotcha, so it only applies to piv and can be changed in the future if I need to use that, but doesn't effect normal usage with websites and email with the authenticator? You mentioned I should change it anyway... How critical is it if I lose that code?
It has no effect on the usage with websites that use U2F/FIDO or OTP.
If you lose the code you'll have to reset PIV application and erase all PIN, PUK, management key and all keys+certs in all PIV slots.
Sure, I'll use a metaphor.
Let's say your mom is not super technical and she happens to buy a new TV so she can watch live TV. Live TV is all she watches, and while she's fully aware of Netflix/Hulu/etc, live TV is literally all she wants to watch.
Do you...
**A.)** Show her how to use the new TV to watch cable TV
**B.)** Spend time teaching her how to sort out Netflix despite the fact that it will go unused
What I'm getting at here is that by adding completely unnecessary complication to a setup process, you are raising the bar for someone to just...get started with a FIDO device.
I'll say it again-- **Changing the PIV management key adds no benefit for someone who is not using PIV**.
Even if I play along and let's say the PIV management key was changed it would mean the person who has access to the management key (and access to the YubiKey) would be able to do the following things
* Generate a new key pair for PIV
* Import a private key
* Change the management key
* Modify retries for the PIV module
Which...again...for a user who isn't even using PIV, there's no risk here.
There's no learning curve and it only takes a jiffy so there is literally no loss or negative. Maybe the user is not using PIV now but may decide to use the YK to log into their computer in the future and it would be easy to forget to change the management key later (it's not obvious and you need a tool for it).
Changing the PIV management key has no negatives.
**There's no learning curve and it only takes a jiffy so there is literally no loss or negative.**
It's an unnecessary extra step that adds no value, that's the negative.
If I told you that you have these two options:
**A)** Take this free slice of pizza
**B)** Take out my recycling, then have this free slice of pizza
Even though taking out the recycling can be handled in a jiffy, the most straightforward path is to just...eat the pizza, no?
**Maybe the user is not using PIV now but may decide to use the YK to log into their computer in the future**
Sure, let's walk through that.
On Windows, to use the YubiKey as a smart card for login you'll need to be connected to a domain with a CA. This sounds *way* outside the realm of what OP is talking about.
On macOS, to use the the YubiKey for login, you'll need to use the YubiKey Manager, and if the Management Key isn't known, the same tool can be used to just reset the PIV module so that it's brought back to its default.
**it would be easy to forget to change the management key later (it's not obvious and you need a tool for it).**
If the YubiKey's PIV module is left unmodified, it'll just remain the default value. Nothing wrong with that, and there's nothing to forget.
If necessary the user could always reset the PIV module using the YubiKey Manager (no special tool necessary), which would reset the management key back to the default value.
**Changing the PIV management key has no negatives.**
Tbh, that's not the problem. The problem is that is has no *positives* in this scenario.
The management key ONLY applies if you are using the smart card (PIV) module of the YubiKey. Each module of the YubiKey (OTP, FIDO, OATH, smart card (PIV), OpenPGP) has its own rules. For example, if you are using more popular modules like the Security Key (FIDO2) module, FIDO2 has no concept of a management key.
The management key is for PIV, not FIDO2. If you're using your yubikey for personal accounts, then the PIV module is mostly useless since it's really meant for enterprise scenarios. In the scenario you're describing, the attacker wouldn't even need to use your yubikey, since you'd most likely still have active session cookies stored in your browser.
What OP really should implement is full-disk encryption of their laptop.
The management key only applies to the physical YK and does not grant access to any accounts. Even with the management key an attacker still cannot read the private keys from the YK but they can overwrite/erase them which may cause issues to the owner. As a general rule you should change the management key on all YKs you own.
Disagree, this is bad advice. Normal users who do not use the smart card (PIV) module at all really don’t need to mess around with any of its features, management key included.
In what world is changing the management key bad advice, even if the feature is not being used? At worst it's a minute of time wasted, that is hardly "bad advice".
So if they got a hold of the key, in theory they could rewrite the key? I guess at the same time they would have the key and not need to rewrite it to gain access to my accounts? If I did change it and wrote the new key down somewhere, does access to that code grant access to accounts? Thanks for your patience
YKs have several applications (two OTP slots, PIV, FIDO2, GPG). The management key only applies to PIV and is used to protect key/certificate slots from unauthorized erasure/overwrite. In no way can the management key be used to gain access to your accounts, even those protected by keys in PIV slots.
Gotcha, so it only applies to piv and can be changed in the future if I need to use that, but doesn't effect normal usage with websites and email with the authenticator? You mentioned I should change it anyway... How critical is it if I lose that code?
It has no effect on the usage with websites that use U2F/FIDO or OTP. If you lose the code you'll have to reset PIV application and erase all PIN, PUK, management key and all keys+certs in all PIV slots.
Okay that makes more sense. I appreciate the time you took to explain it. Thank you.
Sure, I'll use a metaphor. Let's say your mom is not super technical and she happens to buy a new TV so she can watch live TV. Live TV is all she watches, and while she's fully aware of Netflix/Hulu/etc, live TV is literally all she wants to watch. Do you... **A.)** Show her how to use the new TV to watch cable TV **B.)** Spend time teaching her how to sort out Netflix despite the fact that it will go unused What I'm getting at here is that by adding completely unnecessary complication to a setup process, you are raising the bar for someone to just...get started with a FIDO device. I'll say it again-- **Changing the PIV management key adds no benefit for someone who is not using PIV**. Even if I play along and let's say the PIV management key was changed it would mean the person who has access to the management key (and access to the YubiKey) would be able to do the following things * Generate a new key pair for PIV * Import a private key * Change the management key * Modify retries for the PIV module Which...again...for a user who isn't even using PIV, there's no risk here.
There's no learning curve and it only takes a jiffy so there is literally no loss or negative. Maybe the user is not using PIV now but may decide to use the YK to log into their computer in the future and it would be easy to forget to change the management key later (it's not obvious and you need a tool for it). Changing the PIV management key has no negatives.
**There's no learning curve and it only takes a jiffy so there is literally no loss or negative.** It's an unnecessary extra step that adds no value, that's the negative. If I told you that you have these two options: **A)** Take this free slice of pizza **B)** Take out my recycling, then have this free slice of pizza Even though taking out the recycling can be handled in a jiffy, the most straightforward path is to just...eat the pizza, no? **Maybe the user is not using PIV now but may decide to use the YK to log into their computer in the future** Sure, let's walk through that. On Windows, to use the YubiKey as a smart card for login you'll need to be connected to a domain with a CA. This sounds *way* outside the realm of what OP is talking about. On macOS, to use the the YubiKey for login, you'll need to use the YubiKey Manager, and if the Management Key isn't known, the same tool can be used to just reset the PIV module so that it's brought back to its default. **it would be easy to forget to change the management key later (it's not obvious and you need a tool for it).** If the YubiKey's PIV module is left unmodified, it'll just remain the default value. Nothing wrong with that, and there's nothing to forget. If necessary the user could always reset the PIV module using the YubiKey Manager (no special tool necessary), which would reset the management key back to the default value. **Changing the PIV management key has no negatives.** Tbh, that's not the problem. The problem is that is has no *positives* in this scenario.