FIDO Commands

Acronyms and their definitions are listed at the bottom of this page.

ykman fido [OPTIONS] COMMAND [ARGS]…

Description:Manage FIDO applications.

Examples

  • Reset the FIDO (FIDO2 and U2F) applications: $ ykman fido reset
  • Change the FIDO2 PIN from 123456 to 654321: $ ykman fido access change-pin --pin 123456 --new-pin 654321

Options

  • -h, --help Show this message and exit.

Commands

  • info Display status of FIDO2 application.
  • reset Reset all FIDO applications.
  • access Manage the PIN for FIDO.
  • credentials Manage resident (discoverable) credentials.

ykman fido access [OPTIONS] COMMAND [ARGS]

Description:Manage the PIN for FIDO.

Options

  • -h, --help Show this message and exit.

Commands

  • change-pin Set or change the PIN code.
  • unlock Verify U2F PIN for YubiKey FIPS.

ykman fido access change-pin [OPTIONS]

Description:Set or change the PIN code. The FIDO2 PIN must be at least 4 characters long, and supports any type of alphanumeric characters. On YubiKey FIPS, a PIN can be set for FIDO U2F. That PIN must be at least 6 characters long.

Options

  • -P, --pin TEXT Current PIN code.
  • -n, --new-pin TEXT A new PIN.
  • -u, --u2f Set FIDO U2F PIN instead of FIDO2 PIN.
  • -h, --help Show this message and exit.

ykman fido access unlock [OPTIONS]

Description:Verify U2F PIN for YubiKey FIPS. Unlock the YubiKey FIPS and allow U2F registration.

Options

  • -P, --pin TEXT Current PIN code.
  • -h, --help Show this message and exit.

ykman fido credentials [OPTIONS] COMMAND [ARGS]…

Description:

Manage resident (discoverable) credentials. This command lets you manage credentials stored on your YubiKey. Credential management is only available when a FIDO PIN is set on the YubiKey.

Note

Managing credentials requires having a PIN. Set a PIN first.

Examples

  • List stored credentials (providing PIN via argument): $ ykman fido credentials list --pin 123456
  • Delete a stored credential by user name (PIN will be prompted for): $ ykman fido credentials delete example_user

Options

  • -h, --help Show this message and exit.

Commands

  • delete Delete a resident credential.
  • list List resident credentials.

ykman fido info

Description:Display status of FIDO2 application. Indicates whether a PIN is set, and if so, the number of attempts to enter the PIN that remain before the PIN is blocked.

Options

  • -h, --help Show this message and exit.

ykman fido reset [OPTIONS]

Description:Reset all FIDO applications. This action will wipe all FIDO credentials on the YubiKey including FIDO U2F credentials and remove the PIN code. The reset is triggered immediately after the YubiKey is inserted, and it requires that the YubiKey be touched.

Options

  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman info [OPTIONS]

Description:Show general information. Displays information about the connected YubiKey such as serial number, firmware version, applications, etc.

Options

  • -c, --check-fips Check if YubiKey is in FIPS-approved mode.
  • -h, --help Show this message and exit.

Example

$ ./ykman info
Device type: YubiKey 5Ci
Serial number: 12345678
Firmware version: 5.2.3
Form factor: Keychain (USB-C, Lightning)
Enabled USB interfaces: OTP, FIDO, CCID

Applications
OTP          Enabled
FIDO U2F     Enabled
OpenPGP      Enabled
PIV          Enabled
OATH         Enabled
FIDO2        Enabled

Acronyms

3DES:Triple Data Encryption Algorithm
AES:Advanced Encryption Standard
CCC:Card Capability Container
CCID:Chip card interface device, a USB protocol for a smartcard.
CHUID:Card Holder Unique ID
CN:Common name
CSR:Certificate Signing Request
ECC:Elliptic curve cryptography
FIDO:Fast Identity Online
FIPS:Federal Information Processing Standards (US government) covering codes and encryption standards.
HMAC:Hash-based message authentication code
HOTP:HMAC-based One-Time Password algorithm
OATH:The Initiative for Open Authentication is an organization that specifies two open authentication standards, TOTP and HOTP
OTP:One-Time Password
PUK:PIN Unlock Key
stdin:standard input - usually keyboard or CLI instructions
stdout:standard output - usually print to screen
TOTP:Time-based One-Time Password algorithm
X.509:The standard defining the format of a public key certificate

To get in touch with Yubico Support, go to https://support.yubico.com/hc/en-us/requests/new.