Introduction

The YubiKey Manager (ykman) is a cross-platform application for managing and configuring a YubiKey via a graphical user interface (GUI) and a Python 3.6 (or later) library and command line interface (CLI). It provides an easy way to perform the most common configuration tasks on a YubiKey, such as:

  • Displaying the serial number and firmware version of a YubiKey (see YubiKey Firmware)
  • Configuring a FIDO2 PIN
  • Resetting the FIDO applications
  • Configuring the OTP application. A YubiKey has two slots (Short Touch and Long Touch). This tool can configure a Yubico OTP credential, a static password, a challenge-response credential or an OATH HOTP credential in either or both of these slots.
  • Manage certificates and PINs for the PIV application
  • Swap the credentials between two configured slots
  • Enable and disable USB and NFC interfaces

Some of the more advanced options are only available through the command line.

This guide contains the instructions for using both ykman’s CLI and its GUI.

  • For the GUI, see Using the YubiKey Manager GUI in this guide.
  • For the CLI, see the balance of this guide. The commands are organized by protocol. CLIs that do not relate specifically to a particular protocol are listed in Base Commands.

YubiKey Firmware

The YubiKey firmware is separate from the YubiKey itself in the sense that it is put onto each YubiKey in a process separate from the manufacture of the physical key. Nonetheless, it can be neither removed nor altered. Yubico periodically updates the YubiKey firmware to take advantage of features and capabilities introduced into operating systems (OSs) such as Windows, etc., as well as to enable new YubiKey features and capabilities.

The firmware version on a YubiKey therefore determines whether or not a feature or a capability is available to that YubiKey. The quickest and most convenient way to determine your YubiKey’s firmware version is to use ykman.