OTP Commands
Acronyms and their definitions are listed at the bottom of the Base Commands page.
ykman otp [OPTIONS] COMMAND [ARGS]…
Manage OTP application. The YubiKey provides two keyboard-based slots that can each be configured with a credential. Several credential types are supported. A slot configuration can be write-protected with an access code. This prevents the configuration from being overwritten without the access code provided.
Note
Mode-switching the YubiKey is not possible when a slot is configured with an access code.
Examples
Swap the configurations between the two slots:
$ ykman otp swap
Program a random challenge-response credential to slot 2:
$ ykman otp chalresp --generate 2
Program a Yubico OTP credential to slot 1, using the serial as public id:
$ ykman otp yubiotp 1 --serial-public-id
Program a random 38 character long static password to slot 2:
$ ykman otp static --generate 2 --length 38
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
--access-code HEX |
A 6-byte access code. Set to empty to use a
prompt for input.
|
Commands
| Command | Description |
|---|---|
calculate |
Perform a challenge-response operation. |
chalresp |
Program a challenge-response credential. |
delete |
Deletes the configuration stored in a slot. |
hotp |
Program an HMAC-SHA1 OATH-HOTP credential. |
info |
Display general status of the YubiKey OTP slots. |
ndef |
Configure a slot to be used over NDEF (NFC). |
settings |
Update the settings for a slot. |
static |
Configure a static password. |
swap |
Swaps the two slot configurations. |
yubiotp |
Program a Yubico OTP credential. |
ykman otp calculate [OPTIONS] {1|2} [CHALLENGE]
Perform a challenge-response operation. Send a challenge (in hex) to a YubiKey slot with a challenge-response credential, and read the response. Supports output as an OATH-TOTP code.
Arguments
| Argument | Description |
|---|---|
CHALLENGE |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-d, --digits [6|8] |
Number of digits in generated TOTP code.
[Default:
6] |
-T, --totp |
Generate a TOTP code, use the current time if
challenge is omitted.
|
ykman otp chalresp [OPTIONS] {1|2]} [KEY]
Program a challenge-response credential.
Arguments
| Argument | Description |
|---|---|
KEY |
If
KEY is not specified, an interactive prompt asksfor it.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
-g, --generate |
Generate a random secret key. Conflicts with
KEYargument.
|
-t, --touch |
Require touch on the YubiKey to generate a response.
|
-T, --totp |
Use a base32-encoded key for TOTP credentials. |
ykman otp delete [OPTIONS] {1|2}
Deletes the configuration in the specified slot.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
ykman otp hotp [OPTIONS] {1|2} [KEY]
Program an HMAC-SHA1 OATH-HOTP credential.
Arguments
| Argument | Description |
|---|---|
KEY |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-d, --digits [6|8] |
Number of digits in generated code.
[Default:
6] |
-c, --counter INTEGER |
Initial counter value. |
--no-enter |
Do not send an Enter keystroke after
outputting the code.
|
-f, --force |
Confirm the action without prompting. |
ykman otp info [OPTIONS]
Display general status of YubiKey OPT slots.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
ykman otp ndef [OPTIONS] {1|2}
Configure a slot to be used over NDEF (NFC). The default prefix is used if no prefix is specified: “https://my.yubico.com/yk/#”
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-p, --prefix TEXT |
Added before the NDEF payload. Typically a URI. |
ykman otp settings [OPTIONS] {1|2}
Update the settings for a slot. Change the settings for a slot without changing the stored secret. All settings not specified are written with default values.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-A, --new-access-code HEX |
Set a new 6-byte access code for
the slot.
Set to empty to use a prompt for input.
|
--delete-access-code |
Remove access code from the slot. |
--enter / --no-enter |
Should send Enter keystroke after
slot output. [Default:
True] |
-f, --force |
Confirm the action without prompting. |
-p, --pacing [0|20|40|60] |
Throttle output speed by adding a delay
(in ms) between characters emitted.
[Default:
0] |
--use-numeric-keypad |
Use scancodes for numeric keypad when
sending digits. Helps with some
keyboard layouts. [Default:
False] |
ykman otp static [OPTIONS] {1|2} [PASSWORD]
Configure a static password. To avoid problems with different keyboard layouts, the following characters (upper and lower case) are allowed by default:
c b d e f g h i j k l n r t u vUse the
--keyboard-layoutoption to allow more characters based on preferred keyboard layout.
Arguments
| Argument | Description |
|---|---|
PASSWORD |
Specify if required. |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
-g, --generate |
Generate a random password. |
-k, --keyboard-layout[[MODHEX|US|UK|DE|FR|IT|BEPO|NORMAN] |
Keyboard layout to use for the static
password.
[Default:
KEYBOARD_LAYOUT.MODHEX] |
-l, --length LENGTH |
Length of generated password.
[Default: 38;1<=x<=38]
|
--no-enter |
Do not send an Enter keystroke after
outputting the password.
|
ykman otp swap [OPTIONS]
Swaps the two slot configurations.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
ykman otp yubiotp [OPTIONS] {1|2}
Program a Yubico OTP credential.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
-k, --key HEX |
16-byte secret key. |
-g, --generate-private-id |
Generate a random private ID. Conflicts
with
--private-id. |
-G, --generate-key |
Generate a random secret key. Conflicts
with
--key. |
--no-enter |
Do not send an Enter keystroke after
emitting the OTP.
|
-P, --public-id MODHEX |
Public identifier prefix.
|
-p, --private-id HEX |
6-byte private identifier.
|
-S, --serial-public-id |
Use YubiKey serial number as public ID.
Conflicts with
--public-id. |
-u, --upload |
Upload credential to YubiCloud. This
opens in browser. If you are running as
an elevated user, the browser may also
be elevated. Conflicts with
--force. |
Click for Yubico Support.