Resetting the OTP Application on the YubiKey


WARNING: Following the steps in this guide will permanently delete one or both credentials stored in the YubiKey's two programmable OTP slots.

 

While not possible to fully reset the YubiKey's OTP application to factory defaults, it is possible to get very close. To emulate a factory reset, program a new Yubico OTP credential in slot 1, upload that credential to YubiCloud, and then consider erasing any credential present in slot 2, which comes blank from the factory. It's possible to accomplish this using either YubiKey Manager or the YubiKey Personalization Tool; both tools are covered below.

 

Program and upload a new Yubico OTP credential

Using YubiKey Manager

  1. Download, install, and launch YubiKey Manager.
  2. Insert your YubiKey, and navigate to ApplicationsOTP.
    • If are running macOS Catalina (10.15) or newer and encounter an error when doing this, see the macOS section in this article.
  3. Under Short Touch (Slot 1), click Configure.
  4. Leave Yubico OTP selected, then click Next.
  5. Check Use serial, click Generate next to both Private ID and Secret key, check Upload, and then click Finish.
    • If you receive an error, check the Troubleshooting section near the end of the article.
  6. Your web browser should open and navigate to upload.yubico.com with most of the form filled out.
  7. Click in the OTP from YubiKey field, then trigger the YubiKey to generate a Yubico OTP by touching its gold sensor for 1-2 seconds.
  8. Check the I'm not a robot box, complete any CAPTCHA challenges you are presented with, and click Upload.
  9. Wait for the credential to be uploaded and processed.
  10. Once processed, click Try it out, and follow the instructions on the page to test your credential.

Using the YubiKey Personalization Tool

  1. Download, install, and launch the YubiKey Personalization Tool.
  2. Insert your YubiKey, and verify the Personalization Tool detects it (you should see YubiKey is inserted near the top-right of the window).
    • If you see Unknown error occurred in the top-right of the window and are running macOS Catalina (10.15) or newer, please see the section macOS in this article.
  3. Select Yubico OTP from the top of the Personalization Tool window.
  4. Select Quick.
  5. Select Configuration Slot 1, click Regenerate, and then click Write Configuration.
  6. Answer any pop-ups about where to save the log file/what to call it.
  7. You should see YubiKey (Public ID: <public_id>) has been successfully configured along the top in green.
    • If you instead see an error message, check the Troubleshooting section near the end of the article.
  8. Click Upload to Yubico.
  9. A browser should open and navigate to https://upload.yubico.com/, with most of the form filled out.
  10. Click in the OTP from YubiKey field, then trigger the YubiKey to generate a Yubico OTP by touching its gold sensor for 1-2 seconds.
  11. Check the I'm not a robot box, complete any CAPTCHA challenges you are presented with, and click Upload.
  12. Wait for the credential to be uploaded and processed.
  13. Once processed, click Try it out, and follow the instructions on the page to test your credential.
  1.  

(Optional) Erase credential in slot 2

From the factory, slot 2 of the YubiKey's OTP application is blank. If you want your YubiKey configured this way and have a credential present in slot 2, follow the instructions below.

 

Using YubiKey Manager

  1. Launch YubiKey Manager, and insert your YubiKey.
  2. Navigate to ApplicationsOTP.
  3. Under Long Touch (Slot 2), click Delete, then YES.
    • If you encounter an error message, check the Troubleshooting section below.

Using the YubiKey Personalization Tool

  1. Launch the Personalization Tool, and insert your YubiKey.
  2. Along the top of the window, select Tools, then click Delete Configuration.
  3. Select Configuration Slot 2, then click Delete.
    • If you encounter an error message, check the Troubleshooting section below.

Troubleshooting

Issue: You receive one of two error messages, depending on whether you are using YubiKey Manager or the YubiKey Personalization Tool, when trying to delete/overwrite one or both credentials. In YubiKey Manager, the error will be Failed to modify Short/Long Touch (Slot 1/2). Make sure the YubiKey does not have restricted access., and in the Personalization Tool, YubiKey could not be configured. Perhaps protected with configuration protection access code?

 

Resolution: This indicates the slot is protected by a configuration protection access code. If using the Personalization Tool, you will need to check Use Access Code and enter the access code to be able to delete the credential successfully. The graphical version of YubiKey Manager does not currently include an option to provide an access code when deleting slot credentials, but the command-line version does; see this reference for more information. If you do not know the access code, it will not be possible to delete/overwrite the credential.

 

 

Issue: You receive the error Upload failed: Failed to open HTTPS connection. Credential not configured. when clicking Finish in YubiKey Manager with the Upload box checked.

 

Resolution: Update to the latest version of YubiKey Manager, which can be downloaded from this page. If this does not resolve the issue, uncheck Upload, copy the Public ID, Private ID and Secret key somewhere safe temporarily, click Finish, then use the copied parameters to manually fill out the form on https://upload.yubico.com/ to upload the credential. Note that you may need to uncheck Use serial in YubiKey Manager in order to copy the Public ID.

 

 

Issue: You receive the error Upload failed: Public ID is already in use. Credential not configured. when clicking Finish in YubiKey Manager with the Upload box checked.

 

Resolution: The public ID you have specified (or generated from your YubiKey's serial number) is already in use, meaning you will need to pick a different one. If you generated from your YubiKey's serial number, you can uncheck the Use serial box, and change a number of the characters to create a new public ID. Note that your public ID must be twelve characters long, can only include characters from the modhex alphabet (c, b, d, e, f, g, h, i, j, k, l, n, r, t, u, v), and, in order to be uploadable to our servers, must begin with two v's (e.g. vvcjiklnrtuv). Alternatively, you can use the Personalization Tool to program and upload a new Yubico OTP credential (see above).