Using the Yubico PIV Tools and YubiKey PIV Manager, I can load my client TLS certificate into the PIV slot and use it for authentication in Firefox. This is great. However...
Is there any way to prevent export of the private key of the PIV? As far as I can tell, the PIV management key only protects the device from modification, but does nothing to protect the contained contents from export.
If this is accurate, the YubiKey doesn't really seem to function as a PIV 2FA device, since 2-factor presumes "something you have", and any machine I plug the device into (or software running in the background) can just make fully functional soft copy.
I cross-posted this question in the Yubico forums.
Here's how I demonstrated the problem:
YubiKey does not allow export of the private key, just the public cert. Instead I was demontrating (what I see as) a bug in YubiKey PIV Manager. It doesn't delete private keys properly.
UPDATE: A comment below suggests this has been patched. I have no verified it, but I would bet it has been in the passing years.
First off, although I am going to point out what I see as a bug in YubiKey, I have to say, I was extremely impressed with the end-user support provided by Yubico. And I quote:
we try to help everyone who submits a support case. even the white haired grandma next door
Since "Delete certificate" didn't delete the private key from the YubiKey, re-loading the public key (which can be exported by YubiKey) resulted in a functional PIV interface.
I was able to demonstrate two other methods that actually do clear the private key:
I wasn't able to authenticate when I:
It recently dawned on me that this is the simplest method. Just a couple of button pushes in the "YubiKey PIV Manager".
I wasn't able to authenticate when I:
I reset with this command: yubico-piv-tool -areset
Strangely, I had lock out my PIN and PUK first. The easiest way to run the following commands and input bad inputs more than 3 times (In the case of PUK, you have to enter a valid new PIN and a bad PUK. Ugh.):
# Use to lock out PIN
yubico-piv-tool -averify-pin
# Use to lock out PUK
yubico-piv-tool -aunblock-pin
Considering how painful the other two methods of resetting the private key are, "Delete certificate" is by far the easiest method of "wiping" your cert from the device. Nothing suggests the other two methods are necessary.
Yubico suggested that "reset" was the recommended action before passing the device off to another user.
Personally, I see this as a bug, but I don't know if Yubico is sold yet.
Here's the bad scenario I envision: