OATH Commands

Acronyms and their definitions are listed at the bottom of this page.

ykman oath [OPTIONS] COMMAND [ARGS]…

Description:Manage OATH application.

Examples

  • Generate codes for credentials starting with ‘yubi’: $ ykman oath code yubi
  • Add a touch credential with the secret key f5up4ub3dw and the name yubico: $ ykman oath add yubico f5up4ub3dw --touch
  • Set a password for the OATH application: $ ykman oath access change-password

Options

  • -h, --help Show this message and exit.

Commands

  • info Display status of OATH application.
  • reset Reset all OATH data.
  • access Manage password protection for OATH.
  • accounts Manage and use OATH accounts.

ykman oath accounts add [OPTIONS] NAME [SECRET]

Description:Add a new credential. This will add a new credential to the YubiKey.

Options

  • -o, --oath-type [HOTP|TOTP] Time-based (TOTP) or counter-based (HOTP) credential. [default: TOTP]
  • -d, --digits [6|7|8] Number of digits in generated code. [default: 6]
  • -a, --algorithm [SHA1|SHA256|SHA512] Algorithm to use for code generation. [default: SHA1]
  • -c, --counter INTEGER Initial counter value for HOTP credentials.
  • -p, --period INTEGER Number of seconds a TOTP code is valid. [default: 30]
  • -t, --touch Require touch on YubiKey to generate code.
  • -f, --force Confirm the action without prompting.
  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -r, --remember Remember the password on this machine.
  • -h, --help Show this message and exit.

ykman oath accounts code [OPTIONS] [QUERY]

Description:Generate codes. Generate codes from credentials stored on the YubiKey. Provide a query string to match one or more specific credentials. Touch and HOTP credentials require a single match to be triggered.

Options

  • -H, --show-hidden Include hidden credentials.
  • -s, --single Ensure only a single match, and output only the code.
  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -r, --remember Remember the password on this machine.
  • -h, --help Show this message and exit.

ykman oath accounts delete [OPTIONS] QUERY

Description:Delete a credential. Delete a credential from the YubiKey. Provide a query string to match the credential to delete.

Options

  • -f, --force Confirm deletion without prompting
  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -r, --remember Remember the password on this machine.
  • -h, --help Show this message and exit.

ykman oath info [OPTIONS]

Description:Display status of OATH application.

Options

  • -h, --help Show this message and exit.

ykman oath accounts list [OPTIONS]

Description:List all credentials. List all credentials stored on the YubiKey.

Options

  • -H, --show-hidden Include hidden credentials.
  • -o, --oath-type Display the OATH type.
  • -p, --period Display the period.
  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -r, --remember Remember the password on this machine.
  • -h, --help Show this message and exit.

ykman oath access remember [OPTIONS]

Description:Store the YubiKeys password on this computer to avoid having to enter it on each use.

Options

  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -h, --help Show this message and exit.

ykman oath reset [OPTIONS]

Description:Reset all OATH data. This action will wipe all credentials and reset factory settings for the OATH application on the YubiKey.

Options

  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman oath access change [OPTIONS]

Description:Change the password used to protect OATH credentials. Allows you to set or change a password that will be required to access the OATH credentials stored on the YubiKey.

Options

  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -c, --clear Clear the current password.
  • -n, --new-password TEXT Provide a new password as an argument.
  • -h, --help Show this message and exit.

ykman oath accounts uri [OPTIONS] URI

Description:Add a new credential from an otpauth:// URI. Use a URI to add a new credential to the YubiKey.

Options

  • -t, --touch Require touch on YubiKey to generate code.
  • -f, --force Confirm the action without prompting.
  • -p, --password TEXT Provide a password to unlock the YubiKey.
  • -r, --remember Remember the password on this machine.
  • -h, --help Show this message and exit.

Acronyms

3DES:Triple Data Encryption Algorithm
AES:Advanced Encryption Standard
CCC:Card Capability Container
CCID:Chip card interface device, a USB protocol for a smartcard.
CHUID:Card Holder Unique ID
CN:Common name
CSR:Certificate Signing Request
ECC:Elliptic curve cryptography
FIDO:Fast Identity Online
FIPS:Federal Information Processing Standards (US government) covering codes and encryption standards.
HMAC:Hash-based message authentication code
HOTP:HMAC-based One-Time Password algorithm
OATH:The Initiative for Open Authentication is an organization that specifies two open authentication standards, TOTP and HOTP
OTP:One-Time Password
PUK:PIN Unlock Key
stdin:standard input - usually keyboard or CLI instructions
stdout:standard output - usually print to screen
TOTP:Time-based One-Time Password algorithm
X.509:The standard defining the format of a public key certificate

To get in touch with Yubico Support, go to https://support.yubico.com/hc/en-us/requests/new.