diff --git a/src/pkcs15init/cardos.profile b/src/pkcs15init/cardos.profile
index 45be7884..c5d6cf75 100644
--- a/src/pkcs15init/cardos.profile
+++ b/src/pkcs15init/cardos.profile
@@ -35,7 +35,7 @@ filesystem {
 	    # Prevent unauthorized updates of basic security
 	    # objects via PUT DATA OCI.
 	    # ACL = UPDATE=NEVER;
-	    ACL = UPDATE=$PIN;
+	    ACL = UPDATE=$SOPIN;
 
 	    # Bump the size of the EF(PrKDF) - with split
 	    # keys, we may need a little more room.
diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
index c9357bce..d48c0a46 100644
--- a/src/pkcs15init/pkcs15-cardos.c
+++ b/src/pkcs15init/pkcs15-cardos.c
@@ -249,6 +249,7 @@ cardos_store_key(sc_profile_t *profile, sc_card_t *card,
 			sc_pkcs15_prkey_t *key)
 {
 	sc_pkcs15_prkey_info_t *key_info = (sc_pkcs15_prkey_info_t *) obj->data;
+	struct sc_file *file = NULL;
 	int		algorithm = 0, r;
 
 	if (obj->type != SC_PKCS15_TYPE_PRKEY_RSA) {
@@ -262,6 +263,19 @@ cardos_store_key(sc_profile_t *profile, sc_card_t *card,
 		return SC_ERROR_NOT_SUPPORTED;
 	}
 
+	r = sc_select_file(card, &key_info->path, &file);
+	if (r)   {
+		sc_debug(card->ctx, "Failed to store key: cannot select parent DF");
+		return r;
+	}
+
+	r = sc_pkcs15init_authenticate(profile, card, file, SC_AC_OP_UPDATE);
+	sc_file_free(file);
+	if (r)   {
+		sc_debug(card->ctx, "Failed to store key: 'UPDATE' authentication failed");
+		return r;
+	}
+
 	r = cardos_put_key(profile, card, algorithm, key_info, &key->u.rsa);
 
 	return r;