Resetting the OTP Applet on the YubiKey


WARNING: The steps in this guide will permanently delete the credentials stored in the YubiKey's two programmable OTP slots.

 

The OTP applet on the YubiKey cannot technically be reset to factory defaults. To emulate a factory reset, you can delete the credentials from both slots, program a new Yubico OTP credential in slot 1, and upload that credential to YubiCloud. It's possible to accomplish this using both YubiKey Manager and the YubiKey Personalization Tool; both methods are covered below.

 

Using YubiKey Manager

Step 1 - Deleting credentials

  1. Download, install, and launch YubiKey Manager.
  2. Insert your YubiKey, and navigate to ApplicationsOTP.
    • If you encounter an error message when you do this and are running macOS Catalina (10.15) or newer, please see the section macOS in this article.
  3. Select Delete, then YES under both Short Touch (Slot 1) and Long Touch (Slot 2).
    • If you encounter an error message when clicking YES, check the Troubleshooting section near the end of the article.

Step 2 - Programming and uploading a new Yubico OTP credential

  1. Still under ApplicationsOTP, under Short Touch (Slot 1), click Configure.
    • If you prefer the credential to go into slot 2, select Configure under Long Touch (Slot 2) instead.
  2. Leave Yubico OTP selected, then click Next.
  3. Check Use serial, click Generate next to both Private ID and Secret key, check Upload, then click Finish.
    • If you receive an error message when clicking Finish, check the Troubleshooting section near the end of the article.
  4. Your web browser should open and navigate to https://upload.yubico.com/, with most of the form filled out.
  5. Click in the OTP from YubiKey field, then trigger the YubiKey to generate a Yubico OTP by touching its gold sensor for 1-2 seconds.
    • If you programmed into slot 2, hold its sensor for 2+ seconds instead.
  6. Check the I'm not a robot box, complete any CAPTCHA challenges you are presented with, and click Upload.
  7. Wait for the credential to be uploaded and processed.
  8. Once processed, click Try it out, and follow the instructions on https://demo.yubico.com/otp/verify to test your credential.

Using the YubiKey Personalization Tool

Step 1 - Deleting credentials

  1. Download, install, and launch the YubiKey Personalization Tool.
  2. Insert your YubiKey, and verify the Personalization Tool detects it (you should see YubiKey is inserted near the top-right of the window).
    • If you see Unknown error occurred in the top-right of the window and are running macOS Catalina (10.15) or newer, please see the section macOS in this article.
  3. Along the top of the window, select Tools, then click Delete Configuration.
  4. Select Configuration Slot 1, then Delete, select Configuration Slot 2, and hit Delete again.
    • If you encounter an error message when clicking Delete, check the Troubleshooting section near the end of the article.

Step 2 - Programming and uploading a new Yubico OTP credential

  1. Make sure your YubiKey is inserted, and select Yubico OTP from the top of the Personalization Tool window.
  2. Select Quick.
  3. Select the slot you want to program in (Configuration Slot 1 or 2), click Regenerate, then click Write Configuration.
  4. Answer any pop-ups about where to save the log file/what to call it.
  5. You should see YubiKey (Public ID: <public_id>) has been successfully configured along the top in green.
  6. Next, click Upload to Yubico.
  7. A browser should open and navigate to https://upload.yubico.com/, with most of the form filled out.
  8. Click inside the OTP from YubiKey field, then activate the slot you programmed the new credential in to populate the field
    • Touch the sensor for 1-2 seconds for slot 1, and hold for 2+ seconds for slot 2.
  9. Check the I'm not a robot box, complete any CAPTCHA challenges you are presented with, and click Upload.
  10. Wait for the credential to be uploaded and processed.
  11. Once processed, click Try it out, and follow the instructions on https://demo.yubico.com/otp/verify to test your credential.

Troubleshooting

Issue: You receive one of two error messages, depending on whether you are using YubiKey Manager or the YubiKey Personalization Tool, when trying to delete one or both credentials. In YubiKey Manager, the error will be Failed to modify Short/Long Touch (Slot 1/2). Make sure the YubiKey does not have restricted access., and in the Personalization Tool, YubiKey could not be configured. Perhaps protected with configuration protection access code?

 

Resolution: This indicates the slot is protected by a configuration protection access code. If using the Personalization Tool, you will need to check Use Access Code and enter the access code to be able to delete the credential successfully. The graphical version of YubiKey Manager does not currently include an option to provide an access code when deleting slot credentials, but the command-line version does; see this reference for more information. If you do not know the access code code, then it will not be possible to delete the configuration from the slot.

 

 

Issue: You receive the error Upload failed: Failed to open HTTPS connection. Credential not configured. when clicking Finish in YubiKey Manager with the Upload box checked.

 

Resolution: Update to the latest version of YubiKey Manager, which can be downloaded from this page.

 

 

Issue: You receive the error Upload failed: Public ID is already in use. Credential not configured. when clicking Finish in YubiKey Manager with the Upload box checked.

 

Resolution: The public ID you have specified (or generated from your YubiKey's serial number) is already in use, meaning you will need to pick a different one. If you generated from your YubiKey's serial number, you can uncheck the Use serial box, and change a number of the characters to create a new public ID. Note that your public ID must be twelve characters long, can only include characters from the modhex alphabet (c, b, d, e, f, g, h, i, j, k, l, n, r, t, u, v), and, in order to be uploadable to our servers, must begin with two vs (e.g. vvcjiklnrtuv). Alternatively, you can use the Personalization Tool to program and upload a new Yubico OTP credential (see section above).