How to Disable OTP on Your YubiKey

Pieter Bruegel the Elder, The Tower of Babel, c. 1563. Kunsthistorisches Museum, Vienna. Public domain, via Wikimedia Commons

If you’ve spent any amount of time in a Slack workspace where people use YubiKeys, you’ve seen it: suddenly a message appears in a channel that looks something like this:

ccccccgkgdkvvvjvfblbbdihehndrvjkutduvftrgubfc

If you’re not familiar with YubiKeys, this looks like gibberish—maybe someone’s cat walked across the keyboard, or they fell asleep with their face on the keys. But if you are familiar with YubiKeys, you know exactly what happened: they bumped the sensor on their key, and the OTP (One-Time Password) slot fired a Yubico OTP string directly into whatever text field had focus at the time.

I have personally witnessed this more times than I can count. My response is always the same—I react to the message with the Yubico emoji.¹ Some people see my reaction and immediately know what happened. Others are genuinely confused, both by the mystery string they just broadcasted and by my cryptic emoji response. It’s a near-universal YubiKey user experience, and it’s entirely preventable.

If you’re here, you probably want to stop this from happening. Good news: it takes about 30 seconds.

• Quick Reference
  • Via YubiKey Manager (GUI)
  • Via ykman (CLI)
• Disabling OTP vs. Removing the Credential
• What This Doesn’t Affect
• Re-Enabling OTP
• What OTP Actually Is (And Why You Probably Don’t Need It)
  • Yubico OTP
  • Static Password
  • OATH HOTP
  • OATH TOTP (A Common Source of Confusion)
  • Why FIDO2/WebAuthn Replaced All of This
• Conclusion

Quick Reference

If you just want the fix and don’t need the backstory, here you go. The GUI app approach is first because that’s what most people will reach for—if you’re not at home in a terminal, clicking a checkbox is the friendlier path. If you do live in a terminal, scroll past it to the ykman approach below.

Via YubiKey Manager (GUI)

Yubico provides a graphical application called YubiKey Manager. It runs on macOS, Windows, and Linux, and you can also install it through package managers like Homebrew and Chocolatey.

1. Open YubiKey Manager and insert your YubiKey
2. Click Interfaces in the left sidebar
3. Under USB, uncheck OTP
4. If your YubiKey supports NFC, under NFC, uncheck OTP as well
5. Click Save Interfaces

Done. The application will confirm the change, and your YubiKey will no longer emit OTP strings on touch.

Via ykman (CLI)

If you’d rather use the command line, first install the YubiKey Manager CLI if you haven’t already:

# macOS
brew install ykman

# Ubuntu / Debian
sudo apt install -y yubikey-manager

# Windows (Chocolatey)
choco install yubikey-manager -y

# Windows (winget)
winget install Yubico.YubiKeyManager

Then, with your YubiKey inserted, disable OTP on the USB interface:

$ ykman config usb --disable OTP
USB configuration changes:
  Disable Yubico OTP
  The YubiKey will reboot
Proceed? [y/N]: y
USB application configuration updated.

And if your YubiKey has NFC, disable OTP there too:

$ ykman config nfc --disable OTP
NFC configuration changes:
  Disable Yubico OTP
  The YubiKey will reboot
Proceed? [y/N]: y
NFC application configuration updated.

That’s it. No more accidental OTP strings. Read on for more context, and to understand what you just disabled.

Disabling OTP vs. Removing the Credential

There are actually two different things you can do here to remove OTP, and it’s worth understanding the distinction.

Disabling the OTP application is what the Quick Reference section above does. This turns off the entire OTP interface at the transport level—USB and/or NFC. The YubiKey no longer presents an OTP interface to the host at all. The credential that was in the slot still exists on the key, but it’s completely inaccessible. This is the recommended approach if you don’t use OTP for anything.

Removing the slot credential is a more surgical option. Your YubiKey has two OTP slots: Slot 1 (short touch, 1–2.5 seconds) and Slot 2 (long touch, 3–5 seconds). The accidental-OTP problem is almost always Slot 1 firing on a brief touch. You can remove just that credential while leaving the OTP application enabled:

$ ykman otp info
Slot 1: programmed
Slot 2: empty

$ ykman otp delete 1
Do you really want to delete the configuration of slot 1? [y/N]: y

After this, touching the sensor briefly does nothing—Slot 1 is empty, so there’s no credential to fire. But the OTP application itself is still active, which means you could program a new credential into either slot later if you wanted to.

You can check the current state of your slots at any time with ykman otp info.

When to use which: if you never use OTP for anything—and most people don’t—disable the entire application. If you want to keep one slot active (say, a static password in Slot 2) but stop the accidental Slot 1 misfires, just delete the Slot 1 credential.

What This Doesn’t Affect

This is the part where I reassure you that you’re not breaking your YubiKey.

Disabling OTP has zero effect on any of the other applications on your key. YubiKey applications are independent modules, and turning one off doesn’t touch the others:

• FIDO2/WebAuthn — passkeys, hardware security keys for web authentication. This is what the industry has moved to, and it has nothing to do with OTP.
• OpenPGP — GPG commit signing, encryption, and authentication. If you followed my GPG commit signing guide, none of that is affected.
• PIV — smart card authentication, certificate-based auth. Unrelated to OTP.
• OATH — TOTP and HOTP via the Yubico Authenticator app. This is a common source of confusion—the OATH application is a completely separate module from the OTP application, even though the names sound similar. Disabling OTP does not affect your TOTP codes in Yubico Authenticator.

Re-Enabling OTP

Disabling OTP is fully reversible.

If you ever need OTP back—and I’m struggling to imagine why you would, but who am I to judge—the process is straightforward.

Via the GUI app: same steps as before in the Quick Reference, but check the OTP box instead of unchecking it.

Via ykman:

# Re-enable OTP over USB
ykman config usb --enable OTP

# Re-enable OTP over NFC
ykman config nfc --enable OTP

If you went the slot-credential route and deleted the Yubico OTP credential from Slot 1, you can reprogram it:

$ ykman otp yubiotp 1 --serial-public-id --generate-private-id --generate-key
Using YubiKey serial as public ID: vvcccbblbgjr
Using a randomly generated private ID: 7d795b01b50c
Using a randomly generated secret key: f857d5634a0cf143b7bf88dd0ee6af92
Program a YubiOTP credential in slot 1? [y/N]: y

This generates a new Yubico OTP credential and programs it into Slot 1. Note that this is a new credential—the old one is gone—so you would need to re-register it with any services that relied on the previous Yubico OTP credential.²

What OTP Actually Is (And Why You Probably Don’t Need It)

If you’re still reading, you might be curious about what exactly you just turned off, and why it existed in the first place. The OTP application on a YubiKey supports several different credential types, and the terminology can be confusing because “OTP” gets used to mean different things in different contexts.

Yubico OTP

Every YubiKey ships with a Yubico OTP credential pre-programmed into Slot 1, and it’s the thing that fires when you accidentally touch the sensor.

When the slot fires, the YubiKey types a 44-character string that encodes the key’s identity and a counter, encrypted with a symmetric key that’s shared with Yubico’s validation servers (YubiCloud). A service that wants to verify the OTP sends it to YubiCloud, which decrypts it, checks the counter to prevent replay attacks, and responds with a pass or fail.³

That pre-programmed Slot 1 credential is registered with YubiCloud at the factory—which is what makes Yubico OTP work out of the box, but also means the symmetric key exists on Yubico’s servers from day one. This is fine for the threat model the protocol was designed around back in the day, but it’s another reason the industry has converged on public-key approaches like FIDO2 where no copy of your secret lives anywhere but on the key itself.

This was genuinely useful in the pre-FIDO2 era. Before WebAuthn became a standard, Yubico OTP was one of the best options available for hardware-backed two-factor authentication. Some services still support it—Yubico’s own forums being a notable example—but the list has been shrinking for years as the industry has converged on FIDO2/WebAuthn.

The name “YubiKey” itself is a reference to this feature—”Yubi” comes from “ubiquitous,” and the original product, released in 2008, was an OTP token only.

Static Password

A YubiKey OTP slot can also be configured to hold a static password—a fixed string that gets typed every time you touch the sensor.⁴ This is essentially a hardware-stored password.

It’s the simplest credential type: no cloud validation, no counters, no encryption. Just a string that gets typed. Some people use this as a component of a passphrase—the YubiKey types a long random portion, and they type a memorized prefix or suffix. In practice, this is rarely used, and FIDO2/WebAuthn is a far better solution for authentication.

OATH HOTP

OTP slots can also hold HMAC-based One-Time Password (HOTP) credentials, as defined in RFC 4226. These are counter-based: each touch generates the next code in a sequence.

This is distinct from the OATH application on the YubiKey, which is a separate module that can store many TOTP and HOTP credentials and is accessed via the Yubico Authenticator app rather than through the OTP slot. If you have an HOTP credential in an OTP slot, disabling the OTP application will disable it—but the OATH application remains unaffected.

OATH TOTP (A Common Source of Confusion)

Time-based One-Time Passwords (RFC 6238) cannot be generated via the OTP slots. The YubiKey lacks a real-time clock, so it can’t compute time-based codes on its own.

TOTP is instead handled by the separate OATH application on the YubiKey. The YubiKey stores the TOTP secrets, and the Yubico Authenticator app on your computer or phone provides the clock and displays the codes. This is an entirely different module from OTP—disabling the OTP application has no effect on your TOTP codes.

This is probably the single biggest point of confusion around YubiKey OTP. People hear “I’m disabling OTP” and panic about their authenticator codes. The OATH application and the OTP application have nothing to do with each other.

Why FIDO2/WebAuthn Replaced All of This

FIDO2/WebAuthn is the modern standard for hardware-backed authentication, and it fixes the problems that every OTP-based approach has:

• Phishing-resistant by design — the credential is origin-bound, meaning the browser will not submit it to a lookalike domain that an attacker may have set up. OTP credentials have no concept of origin—they’re just strings that get pasted wherever you’re typing, which is, incidentally, the entire problem this post is about.
• No shared secrets — FIDO2 uses public-key cryptography. The private key never leaves the hardware token. Yubico OTP requires a symmetric key shared between the YubiKey and YubiCloud, which means there’s a copy of the secret on Yubico’s servers.
• No third-party validation service — FIDO2 verification happens directly between the service you’re logging into and the authenticator. Yubico OTP requires the service to send the OTP to YubiCloud for validation.
• Built into everything — every major browser, operating system, and a rapidly growing number of services support WebAuthn natively.

Conclusion

The OTP application on your YubiKey is a legacy feature. It was useful in its time, but that time has largely passed. Disabling it doesn’t remove any functionality you’re likely using—it just stops the key from doing the one thing that annoys you, and spares your peers from seeing (and making fun of) your gibberish strings.

Footnotes