Tools and Troubleshooting

Managing Applications

Enabling/Disabling

To find out which applications are enabled on which interface, you can use either the Yubico Authenticator, see Yubico Authenticator User Guide, or the ykman CLI, see ykman CLI and YubiKey Manager GUI Guide.

Note

For the YubiKey 5Ci, any modifications made to the applications over the USB interface also apply to the applications over Lightning®.

Locking

Once the desired applications have been selected, you can set a lock code to prevent anyone changing the set of applications that are enabled. To do this, you can use the ykman CLI ykman config set-lock-code. The lock code is 16 bytes presented as 32 hex characters. For more information, see ykman CLI and YubiKey Manager GUI Guide for that command.

Yubico Authenticator

Yubico Authenticator is used to manage credentials on OATH applications and it lists OTPs generated by the YubiKey. Yubico Authenticator provides the time element for generating OTPs for OATH-TOTP credentials because the YubiKey does not have a battery and cannot track time. The Yubico Authenticator is open source, cross-platform, and runs on Windows, macOS, Linux, and Android. The Android version of Yubico Authenticator can communicate with YubiKeys over NFC or USB.

Yubico Authenticator is one of the tools most commonly used to configure YubiKeys. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the Yubico Authenticator Functionality table.

The Yubico Authenticator, which replaces the old YubiKey Manager GUI, provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:

  • Displaying information about the YubiKey(s) connected to the computer.
  • Enabling or disabling applications allowed through physical interface.
  • Setting or changing the FIDO2 PIN, as well as resetting the FIDO application.
  • Managing the credentials in the OTP application.

YubiKey Manager GUI / ykman CLI

ykman (YubiKey Manager) is a CLI tool for configuring all aspects of 5 Series YubiKeys and for determining the model of YubiKey and the firmware version it is running. It is a cross-platform tool that runs on Windows, macOS, and Linux.

Note

The YubiKey Manager (GUI) is available, but is not robust. For a graphical interface, we recommend the Yubico Authenticator.

Be aware, some of the more advanced options are only available through the latest version of the ykman CLI. Download and install the most recent version of ykman.

GUI: YubiKey Manager

The YubiKey Manager has been superseded by the Yubico Authenticator. However, the YubiKey Manager is still available; it provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:

  • Displaying information about the YubiKey(s) connected to the computer.
  • Enabling or disabling applications allowed through physical interface.
  • Setting or changing the FIDO2 PIN, as well as resetting the FIDO application.
  • Managing the credentials in the OTP application.

CLI: ykman

Using ykman, you can do everything that YubiKey Manager can and more. ykman can also do more than the Yubico Authenticator. This includes, but is not limited to:

  • Enabling or disabling applications and prevent unauthorized changes by setting a lock code.
  • Managing the credentials in the PIV / Smart Card application, including resetting them.
  • Managing and generating OTPs from the credentials in the OATH application, including resetting the application.
  • Resetting the OpenPGP application and setting the OpenPGP touch policy.

For usage information and examples for ykman, see the YubiKey Manager / ykman CLI and GUI Guide.

YubiKey Smart Card Minidriver

The YubiKey Smart Card Minidriver extends the PIV / Smart Card application for YubiKey on Windows. It facilitates deployment and management. Key benefits include:

  • Enroll the YubiKey using standard Windows utilities.
  • Auto-enrollment for self-provisioning and automatically renewing a YubiKey.
  • Multiple authentication certificates on one YubiKey.
  • Change the PIN from the Ctrl+Alt+Del menu.
  • Unblock the PIN using the PUK at the Windows logon screen.

To get started with the YubiKey Smart Card Minidriver, see the deployment guide

Note

To use PIV / Smart Cards with the YubiKey 5 Series requires YubiKey Smart Card Minidriver version 4.0 or later.

YubiKey Verification Site and FIDO Application Demo Site

The YubiKey Verification page on the Yubico website enables users to:

  • Validate the authenticity of the YubiKey
  • Identify the model
  • Read the firmware version on YubiKeys with firmware 5.4.0 and later.

For more detailed instructions, see How to Confirm Your Yubico Device is Genuine and/or Where to find YubiKey Firmware.

The Yubico WebAuthn Developer Tool offers users the ability to:

  • Demo the capabilities of the YubiKey FIDO application
  • Inspect the FIDO2 Attestation Certificate.

To set a FIDO2 PIN without using ykman, refer to Understanding YubiKey PINS.

Troubleshooting

For any issues with a key from the YubiKey 5 Series, refer to the Knowledge Base and search for the issue. If your issue is not listed in the Knowledge Base, or if you have any technical questions, submit a request with Yubico Support.

Click for Yubico Support.