OTP Commands

Acronyms and their definitions are listed at the bottom of this page.

ykman otp [OPTIONS] COMMAND [ARGS]…

Description:

Manage OTP application. The YubiKey provides two keyboard-based slots that can each be configured with a credential. Several credential types are supported. A slot configuration can be write-protected with an access code. This prevents the configuration from being overwritten unless the access code is supplied.

Note

Mode switching the YubiKey is not possible when a slot is configured with an access code.

Examples

  • Swap the configurations between the two slots: $ ykman otp swap
  • Program a random challenge-response credential to slot 2: $ ykman otp chalresp --generate 2
  • Program a Yubico OTP credential to slot 1, using the serial as public id: $ ykman otp yubiotp 1 --serial-public-id
  • Program a random 38 characters long static password to slot 2: $ ykman otp static --generate 2 --length 38

Options

  • --access-code HEX A 6-byte access code. Set to empty to use a prompt for input.
  • -h, --help Show this message and exit.

Commands

  • calculate Perform a challenge-response operation.
  • chalresp Program a challenge-response credential.
  • delete Deletes the configuration stored in a slot.
  • hotp Program an HMAC-SHA1 OATH-HOTP credential.
  • info Display general status of the YubiKey OTP slots.
  • ndef Configure a slot to be used over NDEF (NFC).
  • settings Update the settings for a slot.
  • static Configure a static password.
  • swap Swaps the two slot configurations.
  • yubiotp Program a Yubico OTP credential.

ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]

Description:Perform a challenge-response operation. Send a challenge (in hex) to a YubiKey slot with a challenge-response credential, and read the response. Supports output as an OATH-TOTP code.

Options

  • -T, --totp Generate a TOTP code, using the current time as challenge.
  • -d, --digits [6|8] Number of digits in generated TOTP code. [Default: 6]
  • -h, --help Show this message and exit.

ykman otp chalresp [OPTIONS] [1|2] [KEY]

Description:Program a challenge-response credential. If KEY is not specified, an interactive prompt will ask for it.

Options

  • -t, --touch Require that the YubiKey be touched to generate response.
  • -T, --totp Use a base32-encoded key for TOTP credentials.
  • -g, --generate Generate a random secret key. Conflicts with KEY argument.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman otp delete [OPTIONS] [1|2]

Description:Deletes the configuration of a slot.

Options

  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman otp hotp [OPTIONS] [1|2] [KEY]

Description:Program an HMAC-SHA1 OATH-HOTP credential.

Options

  • -d, --digits [6|8] Number of digits in generated code. [Default: 6]
  • -c, --counter INTEGER Initial counter value.
  • --no-enter Do not send an ‘Enter’ keystroke after outputting the code.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman otp info [OPTIONS]

Description:Display status of YubiKey Slots.

Options

  • -h, --help Show this message and exit.

ykman otp ndef [OPTIONS] [1|2]

Description:Configure a slot to be used over NDEF (NFC). The default prefix will be used if no prefix is specified: “https://my.yubico.com/yk/#”

Options

  • -p, --prefix TEXT Added before the NDEF payload. Typically a URI.
  • -h, --help Show this message and exit.

ykman otp settings [OPTIONS] [1|2]

Description:Update the settings for a slot. Change the settings for a slot without changing the stored secret. All settings not specified will be written with default values.

Options

  • -f, --force Confirm the action without prompting.
  • -A, --new-access-code HEX Set a new 6-byte access code for the slot. Set to empty to use a prompt for input.
  • --delete-access-code Remove access code from the slot.
  • --enter / --no-enter Should send ‘Enter’ keystroke after slot output. [Default: True]
  • -p, --pacing [0|20|40|60] Throttle output speed by adding a delay (in ms) between characters emitted. [Default: 0]
  • --use-numeric-keypad Use scancodes for numeric keypad when sending digits. Helps with some keyboard layouts. [Default: False]
  • -h, --help Show this message and exit.

ykman otp static [OPTIONS] [1|2] [PASSWORD]

Description:

Configure a static password. To avoid problems with different keyboard layouts, the following characters are allowed by default:

c b d e f g h i j k l n r t u v

Use the --keyboard-layout option to allow more characters based on preferred keyboard layout.

Options

  • -g, --generate Generate a random password.
  • -l, --length INTEGER RANGE Length of generated password.
  • -k, --keyboard-layout [MODHEX|US|DE|NORMAN] Keyboard layout to use for the static password. [Default: MODHEX]
  • --no-enter Do not send an ‘Enter’ keystroke after outputting the password.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman otp swap [OPTIONS]

Description:Swaps the two slot configurations.

Options

  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman otp yubiotp [OPTIONS] [1|2]

Description:Program a Yubico OTP credential.

Options

  • -P, --public-id MODHEX Public identifier prefix.
  • -p, --private-id HEX 6-byte private identifier.
  • -k, --key HEX 16-byte secret key.
  • --no-enter Do not send an ‘Enter’ keystroke after emitting the OTP.
  • -S, --serial-public-id Use YubiKey serial number as public ID. Conflicts with --public-id.
  • -g, --generate-private-id Generate a random private ID. Conflicts with --private-id.
  • -G, --generate-key Generate a random secret key. Conflicts with --key.
  • -u, --upload Upload credential to YubiCloud (opens in browser). Conflicts with --force.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

Acronyms

3DES:Triple Data Encryption Algorithm
AES:Advanced Encryption Standard
CCC:Card Capability Container
CCID:Chip card interface device, a USB protocol for a smartcard.
CHUID:Card Holder Unique ID
CN:Common name
CSR:Certificate Signing Request
ECC:Elliptic curve cryptography
FIDO:Fast Identity Online
FIPS:Federal Information Processing Standards (US government) covering codes and encryption standards.
HMAC:Hash-based message authentication code
HOTP:HMAC-based One-Time Password algorithm
OATH:The Initiative for Open Authentication is an organization that specifies two open authentication standards, TOTP and HOTP
OTP:One-Time Password
PUK:PIN Unlock Key
stdin:standard input - usually keyboard or CLI instructions
stdout:standard output - usually print to screen
TOTP:Time-based One-Time Password algorithm
X.509:The standard defining the format of a public key certificate

To get in touch with Yubico Support, go to https://support.yubico.com/hc/en-us/requests/new.