Table of Contents

FIDO2 Reset

The FIDO2 application can be reset on all YubiKeys that support FIDO2. A reset will remove any credentials present and set the application to the "no PIN" state.

However, there are some caveats:

  • The YubiKey will no longer be able to perform authentication with credentials that were removed from the FIDO2 application during the reset.
  • The process of resetting is a bit complicated; the .NET YubiKey API does not include a higher-level Fido2Session method for performing the entire operation. Instead, you must use a lower-level command class as described below.
Note

The individual FIDO reset can be used with YubiKey Bio Multi-protocol Edition keys only if the FIDO application is not "blocked" (check the key's ResetBlocked property to confirm). Otherwise, the device-wide reset must be used instead.

Steps

Resetting the FIDO2 application is something you hope you never need to do. Generally, the only reason to reset the FIDO2 application is if the password has been blocked.

To perform a FIDO2 reset, complete the following:

  1. "Reboot" the YubiKey by removing it from and reinserting it into the host device. Connect to the YubiKey and its FIDO2 application once it has been reinserted. This will likely be done using a listener class (see YubiKeyDeviceListener).

  2. Within a time limit from the reboot (10 seconds for YubiKeys with firmware version 5.5.4 and later or 5 seconds for firmware versions prior to 5.5.2), send the ResetCommand.

    Note

    The reboot requirement and 10-second timeout are mandated by the CTAP 2.1 standard.

  3. The YubiKey will not respond with the ResetResponse immediately. Within 30 seconds, a user must touch the contact of the YubiKey. If the touch does not occur in time, the YubiKey will return the ResetResponse with a StatusWord of 0x6F3A, the CTAP error of timeout (the Status property will be Failed). If the user touches the contact within the time limit, then the FIDO2 application will be reset (the StatusWord property will be 0x9000, and the Status property will be Success).

    See the FIDO2 reset APDU documentation for information on other possible StatusWord responses.

Sample code

The FIDO2 sample program (located under Yubico.YubiKey/examples/Fido2SampleCode/) contains a class (/Fido2SampleCode/YubiKeyOperations/Fido2Reset.cs) that demonstrates how to execute the FIDO2 reset steps. This includes code for:

  • creating a listener to determine when the YubiKey is removed and reinserted
  • notifying the user to remove, reinsert, and touch the YubiKey
  • calling the lower-level SDK command API to perform the reset once the key has been rebooted