Resetting the OTP application on the YubiKey


exclamation-triangle-line-icon.svg WARNING: Following the steps in this guide will permanently delete one or both credentials stored in the YubiKey's two programmable OTP slots.

 

While not possible to fully reset the YubiKey's OTP application to factory defaults, it is possible to get very close. To emulate a factory reset, program a new Yubico OTP credential in slot 1, upload that credential to YubiCloud, and then consider erasing any credential present in slot 2, which comes blank from the factory. It's possible to accomplish this using Yubico Authenticator.

 

Program and upload a new Yubico OTP credential

Using Yubico Authenticator

  1. Download, install, and launch Yubico Authenticator
  2. Insert your YubiKey, and navigate to Slots

  3. Click Short Touch (Slot 1) to select the slot.
  4. Click on the Yubico OTP button to configure the slot with a new Yubico OTP credential.

  5. Click on the star icon in Public ID to use the serial number of the YubiKey for Public ID.
    info-circle-line-icon.svg If you are prompted for an access code, referring to Troubleshooting
  6. Click on the generate button to generate a new Private ID.
  7. Click on the generate button to generate a new Secret key.
  8. If you’d like a carriage return to be added after generating the OTP, select Append.

  9. If you’d like to back up your configuration information, select the export file location.

  10. Open https://upload.yubico.com and copy / paste each section to the webpage.
  11. In the OTP from YubiKey field, make sure the cursor is in the field and then tap the capacitive touch sensor on your YubiKey to generate the new OTP 
  12. Click Save in Yubico Authenticator to write the new OTP configuration
  13. On the Upload page, while your cursor is in the "OTP from the YubiKey" field, tap the capacitive touch sensor on the YubiKey to generate a new OTP (if you programmed the new OTP into slot 2 instead, you'll need to tap and hold the capacitive touch sensor for 3+ seconds to generate the OTP)
  14. Check the I'm not a robot box, complete any CAPTCHA challenges you are presented with, and click Upload.
  15. Wait until the upload process has fully completed.
  16. Once processed, click Try it out, and follow the instructions on the page to test your credential.

(Optional) Erase credential in slot 2

From the factory, slot 2 of the YubiKey's OTP application is blank. If you want your YubiKey configured this way and have a credential present in slot 2, follow the instructions below.

 

Using Yubico Authenticator

  1. Launch Yubico Authenticator
  2. Insert your YubiKey, and navigate to Slots
  3. Select Long Touch (Slot 2), click Delete credential.
    mceclip0.png
  4. To confirm the deletion of the credential from slot 2, click Delete.

Troubleshooting

Issue: When attempting to delete a slot that isn't empty, or attempting to program a new credential into a slot that isn't empty, you may be presented with a prompt requesting the access code for the slot.

Solution: If you know the access code that was set on this slot, enter it into the prompt and click Unlock. If you don't know the code, you or someone at your organization who originally provided you with the key set a configuration protection access code using another Yubico application [YubiKey Personalization Tool, or YubiKey Manager (CLI)] in order to prevent accidental (or intentional) deletion of the credential stored in that slot. Without the code, it's impossible to make any configuration changes to the slot. This is by design, as the feature is intended to prevent any unwanted configuration changes from being made to your YubiKey. A configuration protection access code is formatted as a 12 digit numeric code, and in cases where a code is set to prevent accidental deletion of a slot, it's most common to use the serial number as the access code, so this may be a good thing to try. For example, if your YubiKey serial number is 28 629 609, try the serial number padded with zeros at the beginning (e.g. 000028629609).