VeriMark™ NFC+ Security Key Setup Guide

VeriMark™ Key Manager is an official management tool provided by Kensington, designed for configuring and managing the VeriMark™ NFC+ Key. It supports devices running Windows and macOS.

With VeriMark™ Key Manager, you can:

• View device information such as serial number, FIDO2 version, and firmware version
• Manage PIN and digital certificates
• Configure and manage FIDO2, PIV, and OTP functions

• macOS 14 and above: Supports PIV and OTP features, in addition to FIDO2
• macOS versions below 14: Only FIDO2 is supported; PIV and OTP are not available

After opening VeriMark™ Key Manager and inserting the VeriMark™ NFC+ Key, the Home page will display basic device information. Clicking "Click to view details" shows firmware version and FIDO2 details.

You can:

• Create or change the FIDO2 PIN
• Manage passkeys (if supported)
• Reset the VeriMark™ NFC+ Key

Passkey Management is not supported in all versions of the tool. Availability depends on your system and software version.

Resetting the key will erase all stored FIDO® data. If the key was previously registered with any applications or services, you will no longer be able to use it to log in. After resetting, you will need to re-register the key with each service.

The VeriMark™ NFC+ Key does not come with a preset FIDO2 PIN.

• If you have never set a PIN, the tool will display "Create."
• If you already set one, it will display "Change."

You can manage the PIN, PUK, Management Key, and PIV certificates. Certificates can be generated, imported, exported, or deleted.

• User PIN: 123456
• PUK: 12345678
• Management Key: 010203040506070801020304050607080102030405060708

Resetting PIV restores the VeriMark™ NFC+ Key to its initial state. This process erases all PIV data, resets the PIN/PUK/Management Key to default values, and deletes all stored certificates.

OTP supports the HOTP (HMAC-based One-Time Password) type.

OTP can be set up in either Quick Mode or Advanced Mode. Quick Mode is designed for most users and provides a fast, guided setup. Advanced Mode offers more detailed customization options. You can click "Generate" to create a Secret Key automatically or manually enter your own Secret Key to complete the configuration.

VeriMark™ Access is specifically designed for standalone login for Windows computer by using Kensington VeriMark™ NFC+ Security Key. It does not require connection to any server and can login computer even when offline, ensuring seamless access without relying on a network connection.

VeriMark™ Access uses a USB VeriMark™ NFC+ Security Key for authentication, allowing computer owners to easily manage access by giving the key to users. It offers PIN-based, password-free login and control over who can access the computer. Windows Hello, on the other hand, relies on biometric authentication methods like facial recognition, fingerprint scanning, or PINs, and is designed for personalized, individual access without focusing on easy user management across multiple users.

No, your computer does not need to be in any enterprise or organizational environment, such as Windows Entra ID, or Hybrid environments. VeriMark™ Access supports local user account as well as domain user login.

Yes, VeriMark™ Access supports Windows Entra ID or Hybrid environments.

Yes, VeriMark™ Access is compatible with Windows 10 version 1809 and later, as well as Windows 11 on physical machines, and Windows 10 virtual machines. However, it is not supported on Windows 11 virtual machines.

Yes, it does. VeriMark™ NFC+ Security Key and recovery options can be used for both online and offline login.

Yes, you can register multiple VeriMark™ NFC+ Security Keys and we encourage you to register at least 2 VeriMark™ NFC+ Security Keys like Apple ID does. You can use the 2nd VeriMark™ NFC+ Security Key as a backup.

VeriMark™ NFC+ Security Key is the primary login method. If you accidentally lose your VeriMark™ NFC+ Security Key or do not have it with you, VeriMark™ Access offers backup login options using VeriMark™ Companion via a mobile security code (requires installing the VeriMark™ Companion mobile app) or a backup code.

Before installing VeriMark™ Access, a system check will be conducted to ensure your environment is compatible for installation. Below is the checklist, and if you encounter any issues, you can refer to the following descriptions to verify your environment:

• MSI install path: The installation path must be a local path.
• Windows version: Windows 10 version 1809 above and Windows 11.
• Credential provider: You previously installed similar software that was not completely removed. Please check the following path for any remaining files.
  regedit.msc: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
  There must be only {DDC0EED2-ADBE-40b6-A217-EDE16A79A0DE} (Default) before installation.
  After installation, you must have {206CF19D-6951-41EF-BC90-01C04A30AB7A} (VeriMark™ Access) and {DDC0EED2-ADBE-40B6-A217-EDE16A79A0DE} (Default).
  If there are any other Credential Providers present, please delete them.
• .Net Framework version: Must be the v4.7.2 or later.
• Windows update: There should be no pending update prompt above the Windows shutdown key icon.

After installation is complete, launch VeriMark™ Access and follow these steps:

1. Enter login password of your computer.
2. Insert the VeriMark™ NFC+ Security Key, enter your PIN, and touch the key while it is blinking.
3. Install VeriMark™ Companion mobile APP one your phone by scanning the QR code shown in the installation process. Then, following the prompt to complete registration.
4. Save and keep the backup codes in a safe place in case you lost your VeriMark™ NFC+ Security Key.

Once these steps are completed, you can start using VeriMark™ Access to log in to your computer.

Yes, VeriMark™ Access supports multiple user accounts on a single computer. Each user can have their own VeriMark™ NFC+ Security Key to login.

Yes, one account can register multiple VeriMark™ NFC+ Security Keys.

Since VeriMark™ Access primarily uses VeriMark™ NFC+ Security Key for authentication, it must be bound to your VeriMark™ Access account. On the VeriMark™ Access page, you need to register a new VeriMark™ NFC+ Security Key before you can delete the old one. If an VeriMark™ NFC+ Security Key is lost, for security reasons, we recommend removing the lost VeriMark™ NFC+ Security Key rather than relying solely on backup methods to access your computer. This is important as there is a risk that someone else might use your lost VeriMark™ NFC+ Security Key to access your computer.

You must have more than one VeriMark™ NFC+ Security Keys to reset it. If you reset the VeriMark™ NFC+ Security Key through other methods, such as Windows settings or Chrome settings, you will need to re-register the VeriMark™ NFC+ Security Key on VeriMark™ Access. Resetting the key will erase all stored credentials, meaning any applications or cloud services previously registered with this VeriMark™ NFC+ Security Key will no longer recognize it for login.

Yes, you can click the reset icon next to the phone name to remove the phone and add a new one.

Yes, you can click "Settings" from the left sidebar. In the setting page, you will see the reset backup code option.

No, changing the PIN will not affect the login process. However, if you reset the VeriMark™ NFC+ Security Key, you will need to re-register it.

If you haven't set a password for the computer, you won't be able to complete the first step of entering the PC password to verify your identity during VeriMark™ Access configuration. Skipping or leaving the password field empty is not allowed. Please set a password for the computer first, then proceed with configuring VeriMark™ Access for computer login.

No. ARM-based CPU laptops are not supported by VeriMark™ Access at this time.

Yes. You can choose the NFC key as your login method, or select other options such as fingerprint authentication or a PIN, as shown in the login screen.

VeriMark™ NFC+ Security Key, a physical security device used for authentication, supports FIDO2, PIV, and HOTP functionalities. It adds an extra layer of security to access accounts and systems.

You can download VeriMark™ Key Manager and select Reset Security Key under the FIDO2 tab, or you can reset it on Windows by opening Settings from the Start menu and selecting the gear icon. Then, navigate to the "Accounts" section. Within "Accounts," select "Sign-in options." Here, located the option labeled "Security Key." Once found, click on "Manage" and insert the VeriMark™ NFC+ Key. You will then find the reset option available.

Please be aware that resetting Key will erase all FIDO® data. This means if you have previously registered your security key on another application, resetting the security key will render it unusable for login.

You can download VeriMark™ Key Manager and select Change Security Key PIN under the FIDO2 tab, or you can reset it on Windows by opening Settings from the Start menu and selecting the gear icon. Then, navigate to the "Accounts" section. Within "Accounts," select "Sign-in options." Here, located the option labeled "Security Key." Once found, click on "Manage" and insert the VeriMark™ NFC+ Key. You will then find the change option available.

You can download VeriMark™ Key Manager and select Reset Security Key under the FIDO2 tab, or reset it on macOS by opening Chrome → Settings → Privacy and security → Security → Manage security keys, then select Reset your security key. Please be aware that resetting Key will erase all FIDO® data. This means if you have previously registered your security key on another application, resetting the security key will render it unusable for login.

You can download VeriMark™ Key Manager and select Change Security Key PIN under the FIDO2 tab, or you can change it on macOS via Chrome by opening Chrome's Settings menu. Then navigate to Privacy and security, select Security, and locate Manage security keys. On that page, you will find the Create a PIN option.

The VeriMark™ NFC+ Security Key supports account authentication for various applications, and the registration process is mostly similar. Typically, you first enter the account settings screen, then navigate to the security or privacy-related page. Once on that page, you select options related to multi-factor authentication or similar. After clicking into it, you'll see the option for a security key. At this point, you can register your VeriMark™ NFC+ Security Key.

Currently, no one except yourself knows the PIN set for the VeriMark™ NFC+ Security Key, and if the maximum number of incorrect PIN entries has been reached, resulting in the VeriMark™ NFC+ Security Key being locked, we can only recommend resetting the VeriMark™ NFC+ Security Key.

Please be aware that resetting the key will erase all FIDO® data. This means that if you have previously registered your security key with another application, resetting it will render the key unusable for login.

You can download the VeriMark™ Companion here: https://www.kensington.com/software/verimark-setup/verimark-nfc-setup-guide/

Currently, if utilized by organizational personnel, configuration for computer login with VeriMark™ NFC+ Security Key necessitates setup by your company's IT staff through Windows Entra ID.

The client can access the settings by logging into the Windows Entra ID admin center. From there, they should navigate to "Protection/Authentication methods" and then proceed to "Policies." Under "Policies," they can select "FIDO2 security key" and enable the option for FIDO2 security key.

As an individual user, you can download VeriMark™ Access from here https://www.kensington.com/software/verimark-setup/verimark-nfc-setup-guide/ for computer login. VeriMark™ Access is specifically designed for standalone login on Windows using the Kensington VeriMark™ NFC+ Key.

Alternatively, you can refer to the following article on using VeriMark™ NFC+ Security Key to log in to Windows. This requires meeting Microsoft's basic requirements, which are listed at the beginning of the article. If your system meets these requirements, follow the instructions in the article to proceed with the setup.

Related article: Microsoft Authentication: Passwordless Security Key Login

According to the FIDO2 protocol, the storage limit for VeriMark™ NFC+ Security Key Discoverable Credentials.

There isn't a direct method to delete or view individual resident keys stored in the FIDO2 storage without performing a complete reset of the security key. The standard procedure for managing resident keys usually involves resetting the security key, which leads to the removal of all stored keys.

The NFC antenna on smartphones is typically located near the rear camera. When scanning, please place the VeriMark™ NFC+ Security Key at the top edge of the phone or near the rear camera area.

When you purchase VeriMark™ NFC+ Key, it comes without a default PIN. For applications such as Google account, Facebook, GitHub, and others, when you register VeriMark™ NFC+ Security Key as a login or two-factor authentication option, the application will prompt you to set a PIN for VeriMark™ NFC+ Key. Once set up, you will be required to enter this PIN whenever prompted to log in.

When the message indicating that the VeriMark™ NFC+ Security Key is locked appears, it is usually due to entering the wrong PIN too many times. Once locked, you can only reset it and set a new PIN.

When the VeriMark™ NFC+ Security Key is locked and unusable, it usually accompanies a message like "The FIDO® security key has been blocked for security reasons." At this point, you must reset your VeriMark™ NFC+ Security Key to unlock it. Please refer to the following instructions for resetting the VeriMark™ NFC+ Key.

Please Keep in mind that resetting the key will erase all FIDO® data, making it unusable for login if registered on another application.

Using VeriMark™ NFC+ Security Key as an option for macOS requires admin account and utilizing the PIV functionality. You must first download VeriMark™ NFC+ Security Key Manager.

PIV Management-Configure PINs:

1. You can change the PIN, PUK of PIV and management key on this page.
2. The default PIN of PIV is 123456; The default PUK of PIV is 12345678.
3. The default management key is 010203040506070801020304050607080102030405060708. You can click the checkbox next to "Use Default" to obtain the management key, it based on you have never changed the management key.

PIV Management-Certificates:

1. You need to generate or import certificates for both Authentication(9a) and Key Management(9d).
2. Please click "Generate" or "Import".
3. Then you will need to choose the algorithm. Please note that RSA1024 and ECCP384 are unsupported for macOS login. Please choose RSA2048 or ECCP256.
4. The default PIN of PIV is 123456. You can change PIN of PIV and management key in Pin Management page.
5. Then click "Confirm."

Configuring VeriMark™ NFC+ Security Key for macOS account login:

1. When you insert the VeriMark™ NFC+ Security Key into the macOS device, a notification will appear.
2. Then click "Pair".
3. If no message appears, you can use a command to bring it up. Open Terminal and enter the command "sc_auth paring_ui -f".
4. You will be prompted to enter the password and the PIN of PIV.
   • Firstly, please enter the password of user's account.
   • Secondly, please enter the PIN of PIV.
   • Finally, please enter the password of user's account again.

Log in to macOS:

To verify the setup, lock your Mac and ensure that the password field prompts for a PIN when you insert your security key. Attempt to unlock your session using your VeriMark™ NFC+ Security Key by entering the PIN.

Yes, VeriMark™ NFC+ Security Key is suitable for use with Apple ID. You can refer to the following link for information on the required device conditions and setup paths: https://support.apple.com/en-us/102637

Regarding the absence of the security key option in Multi-Factor Authentication registration on M365. Please ensure if FIDO2 security key option is enabled in the administrator's Azure AD (Entra ID) management system. The administrator can follow the steps below to access the settings:

1. Log in Microsoft Entra admin center.
2. Choose Protection/Authentication methods.
3. Click Policies → FIDO2 security key.
4. Enable FIDO2 security key option.

Then the user can check if there is an option to register a security key as part of the multi-factor authentication on M365.

The default PIN of PIV is 123456.
The default PUK of PIV is 12345678.
The default management key is 010203040506070801020304050607080102030405060708.

This happens when your VeriMark™ Key is configured with HOTP (One-Time Password). When you touch the key, it generates an OTP and automatically enters it into whichever text field is active, including places like the Windows PIN field. This behavior is normal for HOTP-enabled keys.

• macOS 14 and above: Supports PIV and OTP features.
• macOS versions below 14: PIV and OTP are not supported; only FIDO2 functions are available.

Q: Why am I seeing two PIN prompts when using my security key on Android devices?
A: On some Android OS devices, users may encounter two PIN prompts when inserting your VeriMark™ NFC+ security key. After entering the PIN twice, authentication completes successfully. This behavior appears to be related to the Android operating system rather than the key itself.

Q: Does this issue affect the functionality of the key?
A: No. Despite the double PIN prompt, the key functions correctly and authentication is successful.

Q: Which devices and OS versions are affected?
Here's a summary of tested devices and their behavior:

• Samsung A53 (Android 14): Two PIN prompts; authentication successful
• Samsung A53 (Android 15): Occasional issue; authentication successful
• Samsung S23+ (Android 15 & 16): Works normally
• Samsung Z Flip 4/5 (Android 14–16): Works normally
• Sony Xperia (Android 15): Works normally
• Google Pixel 7/10 (Android 16): Two PIN prompts; authentication successful

Q: Why doesn't my VeriMark™ NFC security key work with Safari on macOS when I have multiple keys registered to my account?
A: Safari may fail to recognize NFC security keys when too many keys are registered to a single user account. This is due to how Safari handles authentication: it attempts to process all registered keys simultaneously, which can overwhelm the memory capacity of NFC keys.

Q: What can I do to fix this issue?
For Microsoft services: Remove excess registered security keys from your account, clear your browser cache, and try logging in again.

Introduction
On smartphones and tablets, users typically rely on the on-screen keyboard for text input. However, when a USB security key is connected, some operating systems may detect the key as a hardware keyboard and automatically hide the on-screen keyboard. This can affect entering the FIDO® PIN or interacting with certain UI elements.

Explanation
Some security keys expose an OTP function through a USB Keyboard HID interface. When a mobile device detects a hardware keyboard, the OS may suppress the soft keyboard. The actual behavior varies across manufacturers, OS versions, and device models.

Platform Behaviors

Android 16 and newer:

• The historical setting System → Keyboard → Physical keyboard → Use on-screen keyboard has been removed in Android 16.
• Users must manually trigger the soft keyboard:
  1. Tap the PIN text field
  2. Tap the floating keyboard icon
  3. Select "Show on-screen keyboard"

Android 15 and earlier:
Users may enable: Settings → System → Keyboard → Physical keyboard → Use on-screen keyboard

iPhone / iPadOS (iOS & iPadOS):
iOS/iPadOS also treat the USB security key as a hardware keyboard. Observed behaviors:

• When the VeriMark Key is plugged in, the soft keyboard may not appear for normal text input.
• Removing the key restores the soft keyboard.
• Important: When operating FIDO® functions (such as entering the FIDO® PIN), iOS/iPadOS do correctly display the soft keyboard even with the security key plugged in.

This is expected OS behavior and not a device malfunction. Apple currently does not offer system-level settings to override this behavior when a hardware keyboard is detected.

Summary

• Mobile OSes may hide the soft keyboard when detecting a hardware keyboard.
• Behavior varies depending on OS version and device model.
• Android 16 requires manual soft keyboard activation.
• iOS/iPadOS suppress the keyboard in general text fields, but still present it correctly during FIDO® PIN entry.