How to: Delete FIDO Credentials from Yubikeys

Need to delete FIDO credentials from a Yubikey? This guide talks through the process using the Yubikey Manager CLI.

How to: Delete FIDO Credentials from Yubikeys

I have access to a lot of Azure AD accounts, including some temporary testing accounts that only live for short periods of time. Each of these requires 2FA (duh) and I use a single Yubikey to authenticate against many separate accounts. Over a longish period of time, I have therefore quite the library of FIDO credentials on my Yubikey, some of which have now become redundant.

I set about trying to delete these legacy credentials, however I found that it's (slightly) more complex than it potentially should be. After a little digging, I managed in the end as follows:

A) Download and Install the Yubikey Manager Software from the Yubikey site here:

B) Open a Terminal window as an Administrator

C) Change to the Yubikey Manager Directory e.g. cd "C:\Program Files\Yubico\YubiKey Manager"

D) Plug in your Yubikey

E) Run the following to list each of the FIDO credentials on the key (enter your pin when prompted) ykman.exe fido credentials list

Output of fido credentials list command displaying active FIDO credentials stored on the Yubikey

F) Find the credential you want to delete and copy the Credential ID (a partial credential ID is fine)

G) Delete the credential using by entering ykman.exe fido credentials delete %credential id% (change %credential id% with the value you copied above)

Output of fido credentials delete command and associated confirmation.

H) Confirm that the Username and Relaying Party match the credential you are trying to delete and enter y to confirm.

I) Confirm deletion by running the ykman.exe fido credentials list command again and checking the credential no longer appears.