If you know the access code
- Download and install YubiKey Manager (CLI)
- Run the following command, replacing $accesscode with the access code set on your YubiKey (if you have an access code shorter than 12 characters, pad the beginning of the code with zeroes until the total characters reaches 12) and replacing $slot with the slot the code is set on, e.g. 1 or 2:
ykman otp --access-code $accesscode settings --delete-access-code $slot --force
Example command for YubiKey serial number 28629609 with a configuration protection access code currently set on slot 2 (using YubiKey Personalization Tool utilizing the use serial number feature):ykman otp --access-code 000028629609 settings --delete-access-code 2 --force
- If successful, a message similar to Settings for slot 2 updated will be displayed.
If you do not know the access code
The short answer is -- you can't. When you have set a configuration protection access code (using the YubiKey Personalization Tool), or if your organization ordered custom configuration with access codes set, you cannot remove it without knowing it. The purpose of setting access codes is to prevent others from deleting a credential from the slot(s) or programming a different credential. If you set an access code, and then forget it, you cannot recover from this situation. You can still use the credential on the protected slot(s), but several things can no longer happen with this YubiKey:
- You cannot delete or overwrite the protected credential
- You can no longer swap the credentials in slot 1 and slot 2
- If this is a multi-protocol YubiKey, you cannot enable or disable the YubiKey's various applications
If you want to protect the configuration of your YubiKey with an access code, be sure to store your access code in a safe place using appropriate security practices.