Tools and Troubleshooting

Managing Applications

Enabling/Disabling

The YubiKey Manager can be used to find out which applications are enabled on which interface and to enable or disable each application on each physical interface.

To find out which applications are enabled, select the Interfaces tab. A checkbox with a tick is shown next to each enabled applications. To change which applications are enabled, use the checkboxes to select the ones you want enabled and click Save Interfaces.

Note

For the YubiKey 5Ci, any modifications made to the applications over the USB interface will also apply to the applications over Lightning®.

Locking

Once the desired applications have been selected, a lock code can be set to prevent changes to the set of enabled applications. This is done using the YubiKey Manager command line interface command ykman config set-lock-code. The lock code is 16 bytes presented as 32 hex characters. For more information, see the YubiKey Manager (ykman) CLI & GUI Guide <https://docs.yubico.com/software/yubikey/tools/ykman/>`_.

YubiKey Manager (ykman)

The YubiKey Manager is a tool for configuring all aspects of YubiKeys in the 5 series and for determining the model of key and the firmware it runs. It has both a graphical interface and a command line interface. Being cross-platform, it runs on Windows, macOS, and Linux. Some of the more advanced options are only available through the command line. See the YubiKey Manager (ykman) CLI Guide.

Graphical User Interface (GUI)

The graphical user interface of the YubiKey Manager provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:

  • Displaying information about the YubiKey(s) connected to the computer.
  • Enabling or disabling applications per physical interface.
  • Setting or changing the FIDO2 PIN, as well as resetting the FIDO application.
  • Managing the credentials in the OTP application.

Command Line Interface (CLI)

Using ykman’s CLI, you can do everything that the GUI can and more. This includes, but is not limited to:

  • Enabling or disabling applications and prevent unauthorized changes by setting a lock code.
  • Managing the credentials in the PIV / Smart Card application, including resetting them.
  • Managing and generating OTPs from the credentials in the OATH application, including resetting the application.
  • Resetting the OpenPGP application and setting the OpenPGP touch policy.

For usage information and examples for ykman, see the YubiKey Manager (ykman) CLI Guide.

Yubico Authenticator

Yubico Authenticator is used to manage credentials on the OATH application and display the OTPs generated by the YubiKey. Yubico Authenticator is required in order to generate OTPs for OATH-TOTP credentials as the YubiKey does not contain a battery and thus cannot track time. It is open source, cross-platform, and runs on Windows, macOS, Linux, and Android. The Android version of Yubico Authenticator can communicate with YubiKeys over NFC or USB.

YubiKey Smart Card Minidriver

The YubiKey Smart Card Minidriver extends the PIV / Smart Card application on the YubiKey on Windows, facilitating deployment and management. Key benefits include:

  • Enrollment of the YubiKey using standard Windows utilities.
  • Auto-enrollment, enabling user self-provisioning of a YubiKey and automatic renewal.
  • Multiple authentication certificates on one YubiKey.
  • Changing of the PIN from the Ctrl+Alt+Del menu.
  • Unblocking of the PIN using the PUK at the Windows logon screen.

To get started with the YubiKey Smart Card Minidriver, see the deployment guide

Note

For use with YubiKeys in the 5 Series, version 4.0 or later of the minidriver is required.

Troubleshooting

If you run into any issues with a key from the YubiKey 5 Series, refer to the Knowledge Base and search for your issue. If your issue is not listed in the Knowledge Base, or if you have any technical questions, you can get in touch with Yubico Support by clicking here.