Home and Settings
For desktop and Android devices, general app and key settings are managed primarily through the Home page. Features include:
- changing a YubiKey’s label and color in the app
- toggling YubiKey applications on/off (desktop only)
- changing the app theme
- toggling between multiple connected keys (desktop only)
- performing a factory reset of a YubiKey application
There are also mobile-specific settings for both Android and iOS/iPadOS.
The Home page: YubiKey at a glance
Note
The Home feature is available for Yubico Authenticator for Desktop and Android only.
The Home page displays a wealth of important information about the connected YubiKey, including:
- YubiKey model (e.g. YubiKey 5 NFC).
- Custom label (if one was created).
- Serial number.
- Firmware version.
- PIN complexity status (available for custom-configured keys, FIPS series keys, and Security Key Series - Enterprise Edition keys with firmware 5.7 or later).
- Enabled applications for current connection type (USB or NFC). Applications include Yubico OTP, PIV, OATH, OpenPGP, FIDO U2F, FIDO2, and YubiHSM Auth, depending on your YubiKey.
- FIPS status (available for YubiKey 5 FIPS Series keys with firmware 5.7 or later).
PIN complexity status
PIN complexity is a new feature offered with firmware version 5.7. It is enabled by default on all YubiKey 5 FIPS Series keys and Security Key Series - Enterprise Edition keys and is an optional add-on for custom-configured YubiKeys. If PIN complexity is enabled, the YubiKey will block the usage of non-trivial PINs, such as “11111111”, “password”, or “12345678”.
Note
Yubico offers custom configuration options to personalize YubiKeys during production. For more details, visit Yubico’s Customization guide.
If the feature is enabled on your key, you will see the PIN complexity status (“PIN complexity enforced”) on the Home screen, which is underneath the firmware version. PIN complexity enablement occurs during YubiKey manufacturing and cannot be modified (disabled or re-enabled) via Yubico Authenticator.
For more information on PIN complexity and the full PIN blocklist, see the YubiKey Technical Manual.
FIPS status
The FIPS status, which is available for YubiKey 5 FIPS Series keys with firmware 5.7 or later, has two components: FIPS capable and FIPS approved.
“FIPS approved” refers to YubiKey applications that are in compliance with the FIPS 140-3 standard. “FIPS capable” refers to YubiKey applications that are capable of complying with FIPS 140-3 but haven’t yet been configured to achieve that status.
Note
For a complete list of the YubiKey requirements for FIPS 140-3, see the YubiKey Technical Manual.
The following YubiKey applications are capable of FIPS 140-3 compliance:
- PIV
- FIDO2
- OATH
- OpenPGP
- YubiHSM Auth
To check a key’s FIPS status, look for the FIPS shield icon next to the application name on the Home screen. If an application has been diabled, you must re-enable it to check its FIPS status.
Yubico Authenticator will not allow you to create credentials for applications in the FIPS capable state. This includes OATH accounts, FIDO2 passkeys, and PIV keys and certificates. The Yubico OTP application, which cannot be in the FIPS capable or FIPS approved states, is unaffected.
Once an application transitions to the FIPS approved state, the only way to return to the FIPS capable state is by performing a factory reset of that application.
Note
Yubico Authenticator for desktop and Android support Secure Channel Protocol 11b (SCP11b). This ensures that NFC connections between the app and YubiKey 5 FIPS Series keys are FIPS-compliant as long as the device running Yubico Authenticator also supports AES-CMAC (native support for AES-CMAC on Android is version-dependent).
Putting an application in FIPS approved mode
The PIV, FIDO2, and OATH applications can be put into the FIPS approved state using Yubico Authenticator. Once an application is in the FIPS approved state, you will have full access to the application’s functionality.
Do the following for each application:
- OATH
- Set an OATH application password.
- FIDO2
- Set a FIDO2 PIN. The PIN must be at least 8 characters and adhere to the key’s PIN complexity requirements.
- PIV
- Change the PIV PIN and PUK. They must be at least 8 characters and adhere to the key’s PIN complexity requirements.
- Change the Management Key. You must use an AES key algorithm, which will be automatically enforced by Yubico Authenticator.
Note
The YubiHSM Auth and OpenPGP applications cannot be put into FIPS approved mode with Yubico Authenticator. (In fact, the only YubiHSM Auth and OpenPGP functionality the Authenticator offers is the ability to toggle those applications on/off.) To interact with these applications, use the ykman CLI tool. For more information on the requirements that must be met for the YubiHSM Auth and OpenPGP applications to achieve FIPS approved status, see the YubiKey Technical Manual.
Switching between keys
Note
Toggling between multiple connected YubiKeys is available on Yubico Authenticator for Desktop only.
Yubico Authenticator for Desktop allows you to interact with multiple connected YubiKeys (only one key can be connected over NFC, but USB connections are not limited). When performing operations in Yubico Authenticator, changes can only be applied to one key at a time.
If you have more than one YubiKey connected to your desktop device, you can toggle between them by selecting a key underneath the menu icon in the upper left corner of the app. Any YubiKey changes made via the Home, Accounts, Passkeys, Fingerprints, Certificates, and Slots pages will apply to the selected key only.
Change a YubiKey’s label and color
Note
YubiKey labels and colors can be changed on Yubico Authenticator for Desktop and Android only.
By default, connected YubiKeys are labeled with their model name on the Home page and the left menu bar. They also have a default color scheme within the app (green on desktop, purple on Android).
To assist with managing multiple keys, key labels and colors can be customized. When a custom label is created, the key’s model name is moved into parentheses after the custom text. These changes persist on the device they are initiated on; if a key is unplugged and then reconnected, the label and color will reflect whatever was previously configured. If multiple keys with different colors are connected to your desktop device, switching between them will change the app’s color scheme.
The label and color information is stored in the app itself, not on the YubiKey. If you toggle these settings for a key on Device A and then connect the key to Device B, you will not see the label/color changes in the app on Device B.
To change a label or color for a particular YubiKey, do the following:
Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Home.
To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.
To connect via NFC on Android, tap your YubiKey on the back of your device to scan.
To change the color, click the palette icon and select a new color.
To change the label, click the pencil icon next to the key’s model name. Enter a new name for your key and click Save.
Toggle YubiKey applications on/off
Note
The Toggle applications feature is available on Yubico Authenticator for Desktop only.
The YubiKey applications, which include Yubico OTP, PIV, OATH, OpenPGP, FIDO U2F, YubiHSM Auth, and FIDO2, can be enabled or disabled for both USB and NFC connections. If an application is disabled, that application will no longer interact with connected devices over the indicated connection type.
For example, if the Yubico OTP application is disabled over USB, the key will no longer emit a Yubico OTP (if a slot is configured with one) when the key is connected to a device over USB and touched.
For YubiKey Bio Multi-protocol Edition keys, once the key is considered “in use”, applications cannot be toggled on/off until a factory reset is performed. “In use” means that the key has been configured in some way: a PIN has been set, the PIV management key has been changed, a certificate has been loaded into one of the PIV application slots, etc.
Note
Enabling/disabling an application does not reset the application; all credentials and settings are preserved.
To enable/disable an application, do the following:
Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Home.
To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.
Click Toggle applications under Device. To find the Device menu in a narrow app window, click the three dots in the upper right corner.
To enable an application, click on it until it shows a check mark. To disable an application, click on it until the check mark disappears. When you are done, click Save.
Change the Authenticator theme
Note
The app theme can be changed on Yubico Authenticator for Desktop and Android only.
Yubico Authenticator for Desktop and Android have three themes available: default, light, and dark. The color of the default theme is dependent on your system settings.
To change the theme, do the following:
Open Yubico Authenticator, click the menu icon in the upper left corner of the app, and select Home.
Click Settings under Application. In the Settings window, click Application theme and select a new theme.
To find the Application menu in a narrow app window, click the three dots in the upper right corner of the app.
Android settings
There are several settings that are unique to Yubico Authenticator for Android. These include:
- NFC tap behavior
- Touch requirement with NFC
- NFC sounds
- USB connectivity
Note
Android NFC settings are only visible in the Yubico Authenticator app on devices that support NFC.
To toggle these settings, open Yubico Authenticator, click the menu icon in the upper left corner of the app, and select Home. Click the three dots in the upper right corner of the app and select Settings under Application.
NFC tap behavior
Yubico Authenticator can be configured to do one of the following when a YubiKey is tapped against the Android device’s NFC reader:
- Launch Yubico Authenticator
- Generate a Yubico OTP and copy it to clipboard
- Launch Yubico Authenticator, generate a Yubico OTP, and copy it to clipboard
- Nothing
By default, Launch Yubico Authenticator is selected. To toggle this setting, click On YubiKey NFC tap under NFC options.
Touch requirement with NFC
When an OATH account is added to a YubiKey, it can be configured to “require touch” in order to generate an OTP. For NFC connections, this means tapping the YubiKey against the device’s NFC reader at least twice: once to display the OATH accounts and again to generate and display the OTP for a particular account.
However, on Android, this touch requirement can be bypassed so that OTPs are generated and displayed for all TOTP OATH accounts on the initial NFC tap. To do so, toggle on Bypass touch requirement under NFC options.
NFC sounds
By default, Android devices with volume on will emit a sound whenever a YubiKey is scanned by the NFC reader. To turn this sound off, click the toggle next to Silence NFC sounds.
USB connectivity
By default, Yubico Authenticator does not automatically launch when a YubiKey is connected to an Android device over USB.
To change this so that Yubico Authenticator launches automatically, toggle on Launch when YubiKey is connected under USB options. Note that this prevents other apps from using the YubiKey when connected over USB.
iOS/iPadOS settings
There are several settings that are unique to Yubico Authenticator for iOS/iPadOS. These include:
- NFC reader initiation after opening the app
- Touch requirement with NFC
- Clipboard settings for copying Yubico OTPs
- NFC reader initiation after generating a Yubico OTP
- Yubico OTP generation
YubiKey overview
To get an overview of a YubiKey connected to an iOS/iPadOS device, click the three dots in the upper right corner and select Configuration.
The Configuration screen displays the key’s model name, firmware version, and serial number.
Initiate NFC at application start
By default, to connect to a YubiKey over NFC on iOS/iPadOS, you must swipe down on the screen to initiate the NFC reader prior to scanning the key. To automatically trigger the NFC reader when the application is launched (as in, the app will prompt you to scan your key without having to swipe down on the screen first), do the following:
- Click the three dots in the upper right corner and select Configuration.
- Click NFC settings.
- On the NFC settings page, toggle on Initiate NFC at application start.
Touch requirement
When an OATH account is added to a YubiKey, it can be configured to “require touch” in order to generate an OTP. For NFC connections, this means tapping the YubiKey against the device’s NFC reader at least twice: once to display the OATH accounts and again to generate and display the OTP for a particular account.
However, on iOS/iPadOS, this touch requirement can be bypassed so that OTPs are generated and displayed for all TOTP OATH accounts on the initial NFC tap. To do so, do the following:
- Click the three dots in the upper right corner and select Configuration.
- Click NFC settings.
- On the NFC settings page, toggle on Bypass touch requirement.
Copy Yubico OTP to clipboard
When a YubiKey is held next to an iOS/iPadOS device’s NFC reader (whether the Authenticator app is open or not), the key will generate a Yubico OTP (if a slot is configured), and the device will prompt you to open Yubico Authenticator, where the OTP will be displayed. Clicking on the OTP will copy it to the clipboard.
To copy the OTP to the clipboard automatically after opening Yubico Authenticator, do the following:
- Click the three dots in the upper right corner and select Configuration.
- Click NFC settings.
- On the NFC settings page, toggle on Copy OTP to clipboard.
Activate NFC on OTP tag read
When a YubiKey is held next to an iOS/iPadOS device’s NFC reader (whether the Authenticator app is open or not), the key will generate a Yubico OTP (if a slot is configured), and the device will prompt you to open Yubico Authenticator, where the OTP will be displayed. The app can also be configured to launch the NFC reader once the app is opened in this scenario. Once the key is scanned, the OATH accounts are displayed along with the Yubico OTP.
This is set to “On” by default. To toggle this setting off, do the following:
- Click the three dots in the upper right corner and select Configuration.
- Click NFC settings.
- On the NFC settings page, toggle off Activate NFC on OTP tag read.
Toggle Yubico OTPs
By default, YubiKeys will generate a Yubico OTP (if a slot is configured) when the key is touched or scanned with an NFC reader. To turn off this setting, do the following:
- Click the three dots in the upper right corner and select Configuration.
- On the Configuration page, select Toggle One-Time Password.
- If connecting over NFC, scan your key when prompted. Otherwise, plug in your key.
- Click the toggle next to One-Time Password. If connecting over NFC, scan your key when prompted to complete the operation.
Important
This toggle changes a setting on the YubiKey itself, not the app. If you toggle this setting off, the YubiKey will not emit an OTP when touched or scanned on ANY device. Also, if you toggle this setting off while connected over NFC, it will only prevent OTPs from being generated and submitted over NFC; touching the key when connected over USB or Lighting will still generate an OTP. Similarly, if you toggle this setting off when the key is plugged into your device, it will only prevent OTPs from being generated and submitted over USB/Lighting; scanning the key with an NFC reader will still generate an OTP.