FIDO2 Reset
The FIDO2 application can be reset on all YubiKeys that support FIDO2. A reset will remove any credentials present and set the application to the "no PIN" state.
However, there are some caveats:
- The YubiKey will no longer be able to perform authentication with credentials that were removed from the FIDO2 application during the reset.
- The process of resetting is a bit complicated; the .NET YubiKey API does not include a
higher-level
Fido2Session
method for performing the entire operation. Instead, you must use a lower-level command class as described below.
Note
The individual FIDO reset can be used with YubiKey Bio Multi-protocol Edition keys only if the FIDO application is not "blocked" (check the key's ResetBlocked property to confirm). Otherwise, the device-wide reset must be used instead.
Steps
Resetting the FIDO2 application is something you hope you never need to do. Generally, the only reason to reset the FIDO2 application is if the password has been blocked.
To perform a FIDO2 reset, complete the following:
"Reboot" the YubiKey by removing it from and reinserting it into the host device. Connect to the YubiKey and its FIDO2 application once it has been reinserted. This will likely be done using a listener class (see YubiKeyDeviceListener).
Within a time limit from the reboot (10 seconds for YubiKeys with firmware version 5.5.4 and later or 5 seconds for firmware versions prior to 5.5.2), send the ResetCommand.
Note
The reboot requirement and 10-second timeout are mandated by the CTAP 2.1 standard.
The YubiKey will not respond with the ResetResponse immediately. Within 30 seconds, a user must touch the contact of the YubiKey. If the touch does not occur in time, the YubiKey will return the
ResetResponse
with aStatusWord
of0x6F3A
, the CTAP error of timeout (theStatus
property will beFailed
). If the user touches the contact within the time limit, then the FIDO2 application will be reset (theStatusWord
property will be0x9000
, and theStatus
property will beSuccess
).See the FIDO2 reset APDU documentation for information on other possible
StatusWord
responses.
Sample code
The FIDO2 sample program (located under Yubico.YubiKey/examples/Fido2SampleCode/) contains a class (/Fido2SampleCode/YubiKeyOperations/Fido2Reset.cs) that demonstrates how to execute the FIDO2 reset steps. This includes code for:
- creating a listener to determine when the YubiKey is removed and reinserted
- notifying the user to remove, reinsert, and touch the YubiKey
- calling the lower-level SDK command API to perform the reset once the key has been rebooted