Configure touch policy for new keys
The YubiKey can be set to require a physical touch to confirm any cryptographic operations. This is an optional feature to increase security, ensuring that any authentication operation must be carried out in person. The YubiKey Minidriver sets the touch policy are set when a key is first imported or generated. Once set for a key on the YubiKey, the policies cannot be changed.
If you enable this policy setting, one of the following touch policies will be configured on new keys generated or imported through the minidriver:
Never
Default policy of never requiring a user touch
Always
Policy is set to require a user touch to confirm each and every cryptographic operation. Yubico does not recommend using this setting, as some Windows services, such as login, may require multiple cryptographic operations in a short time span.
Cached
Policy is set to require physical touch once, then allow for cryptographic operations in a small time window afterwards. For using the physical touch option with Windows Smart Card Logon, this option is required.
If you disable or do not configure this policy setting, newly imported or generated keys through the minidriver will never require a user touch.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Yubico\ykmd |
| Value Name | NewKeyTouchPolicy |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
- Never
Registry Hive HKEY_LOCAL_MACHINE Registry Path Software\Yubico\ykmd Value Name NewKeyTouchPolicy Value Type REG_DWORD Value 1 - Always
Registry Hive HKEY_LOCAL_MACHINE Registry Path Software\Yubico\ykmd Value Name NewKeyTouchPolicy Value Type REG_DWORD Value 2 - Cached
Registry Hive HKEY_LOCAL_MACHINE Registry Path Software\Yubico\ykmd Value Name NewKeyTouchPolicy Value Type REG_DWORD Value 3
yubikeyminidriver.admx
- YubiKey Minidriver