OTP Commands
Acronyms and their definitions are listed at the bottom of the Base Commands page.
ykman otp [OPTIONS] COMMAND [ARGS]…
Manage OTP application. The YubiKey provides two keyboard-based slots that can each be configured with a credential. Several credential types are supported. A slot configuration can be write-protected with an access code. This prevents the configuration from being overwritten without the access code being provided.
Note
Mode-switching the YubiKey is not possible when a slot is configured with an access code.
To provide an access code to commands which require it, use the --access-code option. This option must be given directly after the otp command, before any sub-command.
Examples
Swap the configurations between the two slots:
$ ykman otp swap
Program a random challenge-response credential to slot 2:
$ ykman otp chalresp --generate 2
Program a Yubico OTP credential to slot 1, using the serial as public ID:
$ ykman otp yubiotp 1 --serial-public-id
Program a random 38 character static password to slot 2:
$ ykman otp static --generate 2 --length 38
Remove a currently set access code from slot 2:
$ ykman otp --access-code 0123456789ab settings 2 --delete-access-code
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
--access-code HEX |
A 6-byte access code. Set to empty to use a
prompt for input.
|
Commands
| Command | Description |
|---|---|
calculate |
Perform a challenge-response operation. |
chalresp |
Program a challenge-response credential. |
delete |
Deletes the configuration stored in a slot. |
hotp |
Program an HMAC-SHA1 OATH-HOTP credential. |
info |
Display general status of the YubiKey OTP slots. |
ndef |
Configure a slot to be used over NDEF (NFC). |
settings |
Update the settings for a slot. |
static |
Configure a static password. |
swap |
Swaps the two slot configurations. |
yubiotp |
Program a Yubico OTP credential. |
ykman otp calculate [OPTIONS] {1|2} [CHALLENGE]
Perform a challenge-response operation. Send a challenge to a YubiKey slot with a challenge-response credential, and read the response. Supports output as an OATH-TOTP code.
Challenge default is hex, but base32 with --totp setting.
Slot options are 1 or 2.
Arguments
| Argument | Description |
|---|---|
CHALLENGE |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-d, --digits [6|8] |
Number of digits in generated TOTP code. Ignored
unless
--totp is set. [Default: 6] |
-T, --totp |
Generate a TOTP code, use the current time if
challenge is omitted.
|
ykman otp chalresp [OPTIONS] {1|2} [KEY]
Program a challenge-response credential for slot 1 or 2.
Arguments
| Argument | Description |
|---|---|
KEY |
A key given in hex. If
--totp specified, key is in base32.If
KEY is not specified, an interactive prompt asksfor it.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
-g, --generate |
Generate a random secret key. Cannot be used with
KEY argument. |
-t, --touch |
Require touch on the YubiKey to generate a response.
|
-T, --totp |
Use a base32 encoded key for TOTP credentials.
Optionally, can be padded.
|
ykman otp delete [OPTIONS] {1|2}
Deletes the configuration in the specified slot, 1 or 2.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
ykman otp hotp [OPTIONS] {1|2} [KEY]
Program an HMAC-SHA1 OATH-HOTP credential for slot 1 or 2.
The YubiKey can be configured to output an OATH Token Identifier as a prefix to the OTP itself, which consists of OMP+TT+MUI. Using the --identifier option. Specify the
- OMP+TT as 4 characters
- MUI as 8 characters
- full OMP+TT+MUI as 12 characters.
If omitted, the default value of ubhe is used for OMP+TT, and the YubiKey serial number is used as MUI.
Arguments
| Argument | Description |
|---|---|
KEY |
A key given in hex.
If
KEY is not specified, an interactive prompt asksfor it.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-d, --digits [6|8] |
Number of digits in generated code.
[Default:
6] |
-c, --counter INTEGER |
Initial counter value. |
-f, --force |
Confirm the action without prompting. |
-i, --identifier TEXT |
Token identifier. |
--no-enter |
Do not send an Enter keystroke after
outputting the code.
|
ykman otp info [OPTIONS]
Display general status of YubiKey OPT slots.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
ykman otp ndef [OPTIONS] {1|2}
Configure slot 1 or 2 to be used over NDEF (NFC).
If --prefix is not specified, a default value is used, based on the type:
- For URI the default value is: “https://my.yubico.com/yk/#”
- For TEXT the default is an empty string
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-p, --prefix TEXT |
Added before the NDEF payload.
Typically a URI.
|
-t, --ndef-type [TEXT|URI] |
NDEF payload type [default: URI] |
ykman otp settings [OPTIONS] {1|2}
Update the settings for slot 1 or 2. Change the settings for a slot without changing the stored secret. All settings not specified are written with default values.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-A, --new-access-code HEX |
Set a new 6-byte access code for
the slot.
Use
- as value to prompt for input. |
--delete-access-code |
Remove access code from the slot. |
--enter / --no-enter |
Send Enter keystroke after
slot output. [Default:
enter] |
-f, --force |
Confirm the action without prompting. |
-p, --pacing [0|20|40|60] |
Throttle output speed by adding a delay
(in ms) between characters emitted.
[Default:
0] |
--use-numeric-keypad |
Use scan codes for numeric keypad when
sending digits. Helps with some
keyboard layouts. [Default:
False] |
ykman otp static [OPTIONS] {1|2} [PASSWORD]
Configure a static password for slot 1 or 2. To avoid problems with different keyboard layouts, the following characters (upper and lower case) are allowed by default:
c b d e f g h i j k l n r t u v
Use the --keyboard-layout option to allow more characters based on preferred keyboard layout.
Arguments
| Argument | Description |
|---|---|
PASSWORD |
Specify if required. |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
-g, --generate |
Generate a random password. |
-k, --keyboard-layout[MODHEX|US|UK|DE|FR|IT|BEPO|NORMAN] |
Keyboard layout to use for the static
password.
Default:
KEYBOARD_LAYOUT.MODHEX |
-l, --length LENGTH |
Length of generated password.
Default: 38;1<=x<=38
|
--no-enter |
Do not send an Enter keystroke after
outputting the password.
|
ykman otp swap [OPTIONS]
Swaps the two slot configurations.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
ykman otp yubiotp [OPTIONS] {1|2}
Program a Yubico OTP credential for slot 1 or 2.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-f, --force |
Confirm the action without prompting. |
-k, --key HEX |
16-byte secret key. |
-g, --generate-private-id |
Generate a random private ID. Cannot
be used with
--private-id. |
-G, --generate-key |
Generate a random secret key. Cannot
be used with
--key. |
--no-enter |
Do not send an Enter keystroke
after emitting the OTP.
|
-O, --config-output FILENAME |
Output configuration to a file
Existing files are appended.
|
-P, --public-id MODHEX |
Public identifier prefix.
|
-p, --private-id HEX |
6-byte private identifier.
|
-S, --serial-public-id |
Use YubiKey serial number as public
ID. Cannot be used with
--public-id. |
-u, --upload |
Upload credential to YubiCloud. This
opens a browser. Cannot be used with
--force. |
Click for Yubico Support.