Removing a Configuration Protection Access Code

If You Know the Access Code

  1. Open the YubiKey Personalization Tool and insert your YubiKey.
  2. Click on the Settings tab.
  3. Click the "Update Settings..." button.
  4. In the Configuration Slot section, select the slot you wish to remove the configuration protection from.
  5. In the Configuration Protection section, select "YubiKey(s) Protected - Disable Protection".
  6. Type your access code.
  7. Press the "Update" button.

If You Do Not Know the Access Code

The short answer is -- you can't. When you have set a configuration protection access code (using the YubiKey Personalization Tool), you cannot remove it without knowing it. The purpose of setting access codes is to prevent others from deleting a credential from the slot(s) or programming a different credential. If you set an access code, and then forget it, you cannot recover from this situation. You can still use the credential on the protected slot(s), but several things can no longer happen with this YubiKey:

  1. You cannot delete or overwrite the protected credential.
  2. You can no longer swap the credentials in slot 1 and slot 2.
  3. If this is a multi-protocol YubiKey, you cannot enable or disable the modes (OTP, U2F/FIDO, CCID).

If you want to protect the configuration of your YubiKey with an access code, be sure to store your access code in a safe place using appropriate security practices.