When you keep your Nano YubiKey (any YubiKey model with “Nano” or “-n” in the name) inserted in the USB port as intended by the design, you may find that you can trigger OTP codes without meaning to simply by brushing against the YubiKey. There are a few options for resolving this issue.
Disable the OTP interface
The YubiKey has multiple interfaces, and you can disable some of them without affecting the others. Disabling the OTP interface will prevent the YubiKey from emitting an OTP when touched. Note that if you have configured the YubiKey with a challenge-response credential, or to emit a static password or OATH-HOTP when touched, that will also be disabled since those features also require the OTP interface.
- Install and open the YubiKey Manager GUI application.
- With your YubiKey plugged in, click the "Interfaces" tab.
- Uncheck the "OTP" check box.
- Click the "Save Interfaces" button.
- If your YubiKey is a YubiKey 4 or earlier, unplug the YubiKey and plug it back in. For YubiKey 5 and later, no further action is needed.
To enable the OTP interface again, go through the same steps again but instead check the "OTP" check box in step 3.
Changing the YubiKey Configuration to Delay the OTP
If you cannot disable the OTP interface because you need some feature that require it, there are two ways you can delay the OTP from being sent.
Swap the OTP Credential to Slot 2 (Recommended)
When you move the OTP credential to the second slot, it requires a long 3 second touch to activate so it is much harder to trigger accidentally. See the Swapping Yubico OTP from Slot 1 to Slot 2 article for more information. Note: If you are using the other slot this can impact functionality of tools such as the Windows Logon Tool which requires the challenge-response credential to be in slot 2.
Disable the Fast OTP Setting
By default, YubiKeys arrive with the fast OTP setting enabled so it will instantly start typing the OTP as soon as you touch the metal contact. This can be delayed by disabling the fast OTP setting. Note: The amount of the delay can vary depending on the firmware version on the YubiKey.
Download the command line (CLI) version of the YubiKey Personalization Tool.
Extract the file that is downloaded.
Open Command Prompt (Windows) or Terminal (macOS and Linux).
Use the cd command to browse to the bin folder inside of the extracted folder.
Windows Example: cd Downloads\ykpers-1.19.0-win\bin
macOS Example: cd Downloads/ykpers-1.19.0-mac/bin
Run: ykpersonalize -u -1 -o -fast-trig
Note: macOS and Linux users need to preface the command with ./ so it reads ./ykpersonalize.
Press Y and then Enter to confirm.
Remove and reinsert your YubiKey.
Using Software to Disable the YubiKey After Inactivity
macOS users can use the YubiSwitch application to turn off the YubiKey after a period of inactivity. YubiSwitch is not developed or maintained by Yubico.