FIDO Commands

On Windows, FIDO operations are privileged. Therefore you must run Command Prompt / PowerShell as administrator in order to be able to run commands that begin with ykman fido.

Acronyms and their definitions are listed at the bottom of the Base Commands page.

ykman fido [OPTIONS] COMMAND [ARGS]…

Manage FIDO applications.

Examples

Reset the FIDO (FIDO2 and U2F) applications:
```
$ ykman fido reset
```

Change the FIDO2 PIN from 123456 to 654321:

$ ykman fido access change-pin --pin 123456 --new-pin 654321

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`access`	Manage the PIN for FIDO.
`credentials`	Manage discoverable (resident) credentials.
`fingerprints`	Manage fingerprints.
`info`	Display status of FIDO2 application.
`reset`	Reset all FIDO applications.

ykman fido access [OPTIONS] COMMAND [ARGS]…

Manage the PIN for FIDO.

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`change-pin`	Set or change the PIN code
`force-change`	Force the PIN to be changed to a new value upon next use
`set-min-length`	Set the minimum length allowed for PIN
`verify-pin`	Verify the FIDO PIN against a YubiKey

ykman fido access change-pin [OPTIONS]

Length of the alphanumeric string. On YubiKey FIPS, a PIN can be set for FIDO U2F. That PIN must be at least 6 characters long.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-n, --new-pin TEXT`	A new PIN.
`-P, --pin TEXT`	Current PIN code.
`-u, --u2f`	Set FIDO U2F PIN instead of FIDO2 PIN.

ykman fido access unlock [OPTIONS] (Deprecated)

Replaced unlock command with verify-pin command.

Verify U2F PIN for YubiKey FIPS. Unlock the YubiKey FIPS and allow U2F registration.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-P, --pin TEXT`	Current PIN code.

ykman fido access verify-pin [OPTIONS]

Verify the FIDO PIN against a YubiKey. For YubiKeys supporting FIDO2 this resets the “retries” counter of the PIN. For YubiKey FIPS this unlocks the session, allowing U2F registration.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-P, --pin TEXT`	Current PIN code.

ykman fido config [OPTIONS] COMMAND [ARGS]…

Manage FIDO configuration.

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`enable-ep-attestation`	Enables Enterprise Attestation for Authenticators pre-configured to support it.
`toggle-always-uv`	Toggles the state of Always Require User Verification.

ykman fido credentials [OPTIONS] COMMAND [ARGS]…

Manage discoverable (resident) credentials. This command lets you manage credentials stored on your YubiKey. Credential management is only available when a FIDO PIN is set on the YubiKey.

Note

Managing credentials requires having a PIN. Set a PIN first.

Examples

List stored credentials (providing PIN via argument):
```
$ ykman fido credentials list --pin 123456
```
Delete a credential by user name (PIN is prompted for):
```
$ ykman fido credentials delete example_user
```

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`delete`	Delete a resident credential.
`list`	List resident credentials.

ykman fido credentials delete [OPTIONS] QUERY

Delete a credential.

Arguments

Argument	Description
`QUERY`	A unique substring match of a credentials RP ID, user ID (hex) or name, or credential ID.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm deletion without prompting
`-P, --pin TEXT`	PIN code.

ykman fido credentials list [OPTIONS]

List credentials.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-P, --pin TEXT`	PIN code.

ykman fido fingerprints [OPTIONS] COMMAND [ARGS]…

Manage fingerprints. Requires a YubiKey with fingerprint sensor. Fingerprint management is only available when a FIDO PIN is set on the YubiKey.

Examples

Register a new fingerprint (providing PIN via argument):

$ ykman fido fingerprints add "Left thumb" --pin 123456

List already stored fingerprints (providing PIN via argument):
```
$ ykman fido fingerprints list --pin 123456
```
Delete a stored fingerprint with ID “f691” (PIN is prompted for):
```
$ ykman fido fingerprints delete f691
```

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`add`	Add a new fingerprint.
`delete`	Delete a fingerprint.
`list`	List registered fingerprint.
`rename`	Set the label for a fingerprint.

ykman fido fingerprints add [OPTIONS] NAME

Add a new fingerprint.

Arguments

Argument	Description
`NAME`	Short readable name for the fingerprint. For example, Left thumb.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-P, --pin TEXT`	PIN code.

ykman fido fingerprints delete [OPTIONS] ID

Delete a fingerprint. Delete a fingerprint from the YubiKey by its ID.

Arguments

Argument	Description
`ID`	To see the ID run the `list` subcommand.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm deletion without prompting.
`-P, --pin TEXT`	PIN code.

ykman fido fingerprints list [OPTIONS]

List registered fingerprint. Lists fingerprints by ID and (if available) label.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-P, --pin TEXT`	PIN code.

ykman fido fingerprints rename [OPTIONS] ID NAME

Set the label for a fingerprint.

Arguments

Argument	Description
`ID`	The ID of the fingerprint to rename (as shown in `list`).
`NAME`	Short readable name for the fingerprint. For example, Left thumb.

Options:

Option	Description
`-h, --help`	Show this message and exit.
`-P, --pin TEXT`	PIN code.

ykman fido info

Display general status of the FIDO2 application.

Options

Option	Description
`-h, --help`	Show this message and exit.

ykman fido reset [OPTIONS]

Reset all FIDO applications. This action wipes all FIDO credentials on the YubiKey, including FIDO U2F credentials, and removes the PIN code. The reset is triggered immediately after the YubiKey is inserted, and it requires that the YubiKey be touched.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm the action without prompting.

Click for Yubico Support.