I have stored a digital certificate for digital signing of pdf files on a USB token (Yubikey 5). Usually the key is configured so that it always requires entering the PIN when a document is signed (verified e.g. with the Foxit PDF Reader). However, Adobe Reader DC requests the PIN only for the first document and not if additional documents are signed without restarting the Reader.
Is there any configuration option in the Adobe Reader to configure this behaviour and to enforce an ALWAYS_ENTER_PIN policy?
We contacted also the support of the USB token manufacturer and they also think that it is a special behaviour of the Adobe Reader.
Please try adding the following Registry Key and check the behaviour:
Path: HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown\cSecurity\cPPKLite
Key Name (DWORD): bAllowPasswordSaving
More information on the Registry Key at https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Security.html#idkeyname_1_16100
This did not change the behaviour...
Are you sure that this feature is available in Adobe Reader DC? I found some user documentation for the Acrobat XI: Use digital IDs in Adobe Acrobat under "Change the password and timeout for a digital ID" but nothing comparable for the Reader DC?
Thanks for your support!
I found the same configuration options as described in the user documentation linked above also for Adobe Reader DC. But you can configure this only for certificates and keys stored in pfx files. I have no clue why the registry modifications have no impact on my Yubikey....
This registry setting has no impact on Adobe Reader DC (independently from the key storage windows certificate store or Yubikey). The reader caches the PIN and the user is not required to reenter the PIN before signing a document, even when the security level was set to high during import of the pfx file
I have the same issue. Any idea?