Tools and Troubleshooting

Managing Applications

Enabling/Disabling

The YubiKey Manager (ykman) can be used to find out which applications are enabled on which interface and to enable or disable each application on each physical interface.

To find out which applications are enabled, select the Interfaces tab. A checkbox with a tick is shown next to each enabled application. To change which applications are enabled, use the checkboxes. Select the ones you want enabled, unselect the ones you want disabled, and click Save Interfaces.

Note

For the YubiKey 5Ci, any modifications made to the applications over the USB interface also apply to the applications over Lightning®.

Locking

Once the desired applications have been selected, you can set a lock code to prevent changing the set of enabled applications. To do this, use the YubiKey Manager command line interface command ykman config set-lock-code. The lock code is 16 bytes presented as 32 hex characters. For more information, see the YubiKey Manager (ykman) CLI & GUI Guide <https://docs.yubico.com/software/yubikey/tools/ykman/>`_.

YubiKey Manager (ykman)

The YubiKey Manager is a tool for configuring all aspects of 5 Series YubiKeys and for determining the model of YubiKey and the firmware running on the YubiKey. YubiKey Manager is a cross-platform tool; it runs on Windows, macOS, and Linux. It has both a graphical interface and a command line interface. However, some of the more advanced options are only available through the command line. See the YubiKey Manager (ykman) CLI Guide.

Graphical User Interface (GUI)

The graphical user interface of the YubiKey Manager provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:

Displaying information about the YubiKey(s) connected to the computer.
Enabling or disabling applications allowed through physical interface.
Setting or changing the FIDO2 PIN, as well as resetting the FIDO application.
Managing the credentials in the OTP application.

Command Line Interface (CLI)

Using ykman’s CLI, you can do everything that the GUI can and more. This includes, but is not limited to:

Enabling or disabling applications and prevent unauthorized changes by setting a lock code.
Managing the credentials in the PIV / Smart Card application, including resetting them.
Managing and generating OTPs from the credentials in the OATH application, including resetting the application.
Resetting the OpenPGP application and setting the OpenPGP touch policy.

For usage information and examples for ykman, see the YubiKey Manager (ykman) CLI and GUI Guide.

Yubico Authenticator

Yubico Authenticator is used to manage credentials on OATH applications and it lists OTPs generated by the YubiKey. Yubico Authenticator provides the time element for generating OTPs for OATH-TOTP credentials because the YubiKey does not have a battery and cannot track time. The Yubico Authenticator is open source, cross-platform, and runs on Windows, macOS, Linux, and Android. The Android version of Yubico Authenticator can communicate with YubiKeys over NFC or USB.

YubiKey Smart Card Minidriver

The YubiKey Smart Card Minidriver extends the PIV / Smart Card application for YubiKey on Windows. It facilitates deployment and management. Key benefits include:

Enroll the YubiKey using standard Windows utilities.
Auto-enrollment for self-provisioning and automatically renewing a YubiKey.
Multiple authentication certificates on one YubiKey.
Change the PIN from the Ctrl+Alt+Del menu.
Unblock the PIN using the PUK at the Windows logon screen.

To get started with the YubiKey Smart Card Minidriver, see the deployment guide

Note

To use PIV / Smart Cards with YubiKey 5 Series, requires YubiKey Smart Card Minidriver version 4.0 or later.

Troubleshooting

For any issues with a key from the YubiKey 5 Series, refer to the Knowledge Base and search for the issue. If your issue is not listed in the Knowledge Base, or if you have any technical questions, submit a request with Yubico Support.

Click for Yubico Support.