ykman-fido

Display general information about the FIDO2 application

$ ykman fido info

$ ykman fido access change-pin

$ ykman fido credentials list

$ ykman fido credentials delete [id]

$ ykman fido fingerprints list

$ ykman fido fingerprints add [name]

$ ykman fido fingerprints delete [name]

$ ykman fido reset

ykman fido command [options] [arguments]

Common commands include:

ykman fido info
ykman fido reset [--force]
ykman fido verify [--pin PIN]
ykman fido change-pin [--pin PIN] [--new-pin NEW_PIN]
ykman fido set-pin [--pin PIN] [--new-pin NEW_PIN]
ykman fido credentials list [--fingerprints]
ykman fido credentials delete [--pin PIN] [--cred-id CRED_ID] [--rp-id RP_ID]

command
    The specific FIDO operation to perform (e.g., info, reset, verify, change-pin, set-pin, credentials).

-d, --device
    Specify the YubiKey device by its serial number if multiple devices are connected.

-l, --log-level
    Set the logging verbosity level (e.g., DEBUG, INFO, WARNING, ERROR, CRITICAL).

-h, --help
    Display help message for the ykman fido command or its subcommands.

--force
    Used with reset to bypass the confirmation prompt for destructive actions.

--pin
    Provide the current FIDO PIN non-interactively.

--new-pin
    Provide the new FIDO PIN non-interactively when setting or changing the PIN.

--fingerprints
    Used with credentials list to include credential fingerprints in the output.

--cred-id
    Used with credentials delete to specify the credential ID to remove.

--rp-id
    Used with credentials delete to specify the Relying Party ID (domain) of the credential to remove.

The ykman-fido command is a specialized subcommand of the YubiKey Manager (ykman) utility, dedicated to administering the FIDO2 (WebAuthn) and U2F applications on YubiKey devices. It provides functionalities to interact with the FIDO capabilities of the YubiKey, allowing users to view device information, manage discoverable credentials, and control access settings. Key operations include listing or deleting FIDO2 credentials, resetting the FIDO application (which is a destructive action), and managing the FIDO PIN, such as setting, changing, or verifying it. This tool is essential for users who leverage their YubiKeys for passwordless authentication or as a second factor using FIDO/WebAuthn standards.

Destructive Operations: The ykman fido reset command is highly destructive. It will factory reset the entire FIDO application on the YubiKey, deleting all FIDO2 credentials and U2F registrations, including any resident (discoverable) credentials. This action is irreversible and requires explicit confirmation unless the --force option is used.
PIN Management: Providing PINs directly via command-line options (--pin, --new-pin) is less secure than interactive prompts, as the PIN may be exposed in shell history or process listings. Use with caution.
Credential Deletion: When deleting FIDO2 credentials, ensuring you have the correct --cred-id and --rp-id is crucial to avoid unintended deletions.

ykman fido credentials specifically manages "discoverable" (or "resident") credentials, which are stored directly on the YubiKey. These allow for passwordless login without needing a username or password, as the YubiKey can identify the user and prompt for a PIN or fingerprint.

While ykman fido primarily focuses on FIDO2/WebAuthn, it implicitly manages the underlying U2F application as well, as FIDO2 is an evolution of U2F. A FIDO application reset will affect both.

The ykman utility and its subcommands, including ykman-fido, are developed and maintained by Yubico, the creators of the YubiKey. As FIDO2 (WebAuthn) gained prominence as a modern, phishing-resistant authentication standard, the need for robust management tools directly integrated with the YubiKey became apparent. The ykman-fido subcommand was introduced to provide comprehensive command-line control over the YubiKey's FIDO capabilities, allowing advanced users and system administrators to script and automate FIDO application management tasks. Its functionality has evolved with new FIDO specifications and YubiKey models, offering increasingly granular control over discoverable credentials and device settings.

ykman(1), ykman-oath(1), ykman-piv(1), fido2-assert(1), fido2-cred(1)