OTP Commands

Acronyms and their definitions are listed at the bottom of the Base Commands page.

ykman otp [OPTIONS] COMMAND [ARGS]…

Description:Manage OTP application. The YubiKey provides two keyboard-based slots that can each be configured with a credential. Several credential types are supported. A slot configuration can be write-protected with an access code. This prevents the configuration from being overwritten without the access code provided.

Note

Mode-switching the YubiKey is not possible when a slot is configured with an access code.

Examples

Swap the configurations between the two slots:

$ ykman otp swap

Program a random challenge-response credential to slot 2:

$ ykman otp chalresp --generate 2

Program a Yubico OTP credential to slot 1, using the serial as public id:

$ ykman otp yubiotp 1 --serial-public-id

Program a random 38 character long static password to slot 2:

$ ykman otp static --generate 2 --length 38

Options

Option Description
-h, --help Show this message and exit.
--access-code HEX
A 6-byte access code. Set to empty to use a prompt
for input.

Commands

Command Description
calculate Perform a challenge-response operation.
chalresp Program a challenge-response credential.
delete Deletes the configuration stored in a slot.
hotp Program an HMAC-SHA1 OATH-HOTP credential.
info Display general status of the YubiKey OTP slots.
ndef Configure a slot to be used over NDEF (NFC).
settings Update the settings for a slot.
static Configure a static password.
swap Swaps the two slot configurations.
yubiotp Program a Yubico OTP credential.

ykman otp calculate [OPTIONS] {1|2} [CHALLENGE]

Description:Perform a challenge-response operation. Send a challenge (in hex) to a YubiKey slot with a challenge-response credential, and read the response. Supports output as an OATH-TOTP code.

Arguments

Argument Description
CHALLENGE

Options

Option Description
-h, --help Show this message and exit.
-d, --digits [6|8]
Number of digits in generated TOTP code.
[Default: 6]
-T, --totp
Generate a TOTP code, use the current time if
challenge is omitted.

ykman otp chalresp [OPTIONS] {1|2]} [KEY]

Description:Program a challenge-response credential.

Arguments

Argument Description
KEY If KEY is not specified, an interactive prompt asks for it.

Options

Option Description
-h, --help Show this message and exit.
-f, --force Confirm the action without prompting.
-g, --generate
Generate a random secret key. Conflicts with KEY
argument.
-t, --touch
Require touch on the YubiKey to generate a response.
-T, --totp Use a base32-encoded key for TOTP credentials.

ykman otp delete [OPTIONS] {1|2}

Description:Deletes the configuration in the specified slot.

Options

Option Description
-h, --help Show this message and exit.
-f, --force Confirm the action without prompting.

ykman otp hotp [OPTIONS] {1|2} [KEY]

Description:Program an HMAC-SHA1 OATH-HOTP credential.

Arguments

Argument Description
KEY  

Options

Option Description
-h, --help Show this message and exit.
-d, --digits [6|8]
Number of digits in generated code.
[Default: 6]
-c, --counter INTEGER Initial counter value.
--no-enter
Do not send an Enter keystroke after
outputting the code.
-f, --force Confirm the action without prompting.

ykman otp info [OPTIONS]

Description:Display general status of YubiKey OPT slots.

Options

Option Description
-h, --help Show this message and exit.

ykman otp ndef [OPTIONS] {1|2}

Description:Configure a slot to be used over NDEF (NFC). The default prefix is used if no prefix is specified: “https://my.yubico.com/yk/#”

Options

Option Description
-h, --help Show this message and exit.
-p, --prefix TEXT Added before the NDEF payload. Typically a URI.

ykman otp settings [OPTIONS] {1|2}

Description:Update the settings for a slot. Change the settings for a slot without changing the stored secret. All settings not specified are written with default values.

Options

Option Description
-h, --help Show this message and exit.
-A, --new-access-code HEX
Set a new 6-byte access code for the slot.
Set to empty to use a prompt for input.
--delete-access-code Remove access code from the slot.
--enter / --no-enter
Should send Enter keystroke after slot
output. [Default: True]
-f, --force Confirm the action without prompting.
-p, --pacing [0|20|40|60]
Throttle output speed by adding a delay
(in ms) between characters emitted.
[Default: 0]
--use-numeric-keypad
Use scancodes for numeric keypad when
sending digits. Helps with some keyboard
layouts. [Default: False]

ykman otp static [OPTIONS] {1|2} [PASSWORD]

Description:

Configure a static password. To avoid problems with different keyboard layouts, the following characters (upper and lower case) are allowed by default:

c b d e f g h i j k l n r t u v

Use the --keyboard-layout option to allow more characters based on preferred keyboard layout.

Arguments

Argument Description
PASSWORD Specify if required.

Options

Option Description
-h, --help Show this message and exit.
-f, --force Confirm the action without prompting.
-g, --generate Generate a random password.
-k, --keyboard-layout
[[MODHEX|US|UK|DE|FR|
IT|BEPO|NORMAN]
Keyboard layout to use for the static
password.
[Default: KEYBOARD_LAYOUT.MODHEX]
-l, --length LENGTH
Length of generated password.
[Default: 38;1<=x<=38]
--no-enter
Do not send an Enter keystroke after
outputting the password.

ykman otp swap [OPTIONS]

Description:Swaps the two slot configurations.

Options

Option Description
-h, --help Show this message and exit.
-f, --force Confirm the action without prompting.

ykman otp yubiotp [OPTIONS] {1|2}

Description:Program a Yubico OTP credential.

Options

Option Description
-h, --help Show this message and exit.
-f, --force Confirm the action without prompting.
-k, --key HEX 16-byte secret key.
-g, --generate-private-id
Generate a random private ID. Conflicts
with --private-id.
-G, --generate-key
Generate a random secret key. Conflicts
with --key.
--no-enter
Do not send an Enter keystroke after
emitting the OTP.
-P, --public-id MODHEX
Public identifier prefix.
-p, --private-id HEX
6-byte private identifier.
-S, --serial-public-id
Use YubiKey serial number as public ID.
Conflicts with --public-id.
-u, --upload
Upload credential to YubiCloud (opens in
browser). Conflicts with --force.

To get in touch with Yubico Support, click here.