Removing a Configuration Protection Access Code

This article applies to:


If You Know the Access Code

  1. Open the YubiKey Personalization Tool and insert your YubiKey.
  2. Click on the Settings tab.
  3. Click the "Update Settings..." button.
  4. In the Configuration Slot section, select the slot you wish to remove the configuration protection from.
  5. In the Configuration Protection section, select "YubiKey(s) Protected - Disable Protection".
  6. Type your access code.
  7. Press the "Update" button.


If You Do Not Know the Access Code

The short answer is -- you can't. When you have set a configuration protection access code (using the YubiKey Personalization Tool), you cannot remove it without knowing it. The purpose of setting access codes is to prevent others from deleting a credential from the slot(s) or programming a different credential. If you set an access code, and then forget it, you cannot recover from this situation. You can still use the credential on the protected slot(s), but several things can no longer happen with this YubiKey:

  1. You cannot delete or overwrite the protected credential
  2. You can no longer swap the credentials in slot 1 and slot 2
  3. If this is a multi-protocol YubiKey (a YubiKey 4, YubiKey NEO, or YubiKey Edge), you cannot enable or disable the modes (OTP, U2F, CCID)

If you want to protect the configuration of your YubiKey with an access code, be sure to store your access code in a safe place using appropriate security practices.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.