How to delete a Passkey from a YubiKey?

Looking for a dev-focused passkey reference? Download our Passkeys Cheat Sheet. Trusted by dev teams at Ally, Stanford CS & more.

Get Cheat Sheet

Executive summary: If your browser says your YubiKey has "not enough space for any more account" while adding a new passkey, you have likely filled the key's FIDO2 discoverable credential storage (resident credentials). Hardware passkeys are stored on the key and therefore capacity-limited. You can free space by listing and deleting resident credentials with ykman (CLI) or via Yubico Authenticator (GUI) - with FIDO2 reset as an irreversible last resort.

The failure mode typically looks like this: you try to create a new passkey on a YubiKey, the browser asks for your FIDO2 PIN and a touch and then you get an error along the lines of "not enough space" / "security key is full" / "no storage anymore." This is almost always the YubiKey telling the browser it cannot store another discoverable credential (resident key).

Why it happens:

• A "passkey" (in the strict WebAuthn sense) is fundamentally a discoverable credential - credentials that can be used in flows where the relying party does not provide credential IDs up front (so the authenticator must store enough locally to be discoverable).
• Discoverable credentials are stored on the authenticator (your YubiKey), so hardware security keys have finite storage for them.
• YubiKey capacity depends on model and firmware: newer YubiKey firmware lines support up to 100 discoverable credentials (passkeys) while earlier limits include 25 discoverable credentials on some hardware/firmware combinations.

The practical consequence is simple: if you are out of discoverable-credential slots, you must delete at least one stored passkey (or perform a reset) before you can add another.

Want to experiment with passkey flows? Try our Passkeys Debugger.

Try for Free

To better understand the distinction between discoverable credentials (resident keys) and non-discoverable credentials (non-resident keys), we recommend to read our dedicated article on WebAuthn resident keys.

This is the shortest path to free up YubiKey passkey storage using the CLI. The steps work on macOS, Windows and Linux.

A quick prerequisite that matters in practice: managing resident keys / discoverable credentials requires a FIDO2 PIN. If you never set one, you will need to set it first (either at registration time or via tooling).

macOS (Homebrew):

brew install ykman

Windows (winget or MSI):

winget install Yubico.YubikeyManager

Alternatively, download the YubiKey Manager installer from Yubico's website. On Windows the ykman CLI is bundled with YubiKey Manager and available from the install directory or via PATH after installation.

Linux (pip or package manager):

pip install yubikey-manager

Verify that ykman runs and can see your key:

ykman --version
ykman list

ykman list is the standard "is my key visible?" check (it can also list serials with --serials).

List the discoverable credentials (passkeys) stored on the key:

ykman fido credentials list

This command is specifically for discoverable credentials stored on the YubiKey. Credential management requires a PIN set on the key.

If you suspect the output is truncated or you want full fields in a machine-friendly format, use the CSV option:

ykman fido credentials list --csv

The --csv flag returns more complete information in CSV format.

Once you identify a credential you no longer need, delete it by providing its credential ID (or a unique substring/prefix):

ykman fido credentials delete <CREDENTIAL_ID_OR_UNIQUE_PREFIX>

Two implementation details matter:

• ykman fido credentials delete expects a unique substring match of the credential ID (so you typically do not need to paste the full value). The characters before ... are fine
• The confirmation requires the PIN that you've set for the unlocking / using the Yubikey in general.
• The --force flag skips confirmation prompts (useful in scripts but riskier interactively).

If you prefer a GUI (or want a safer "click what you mean" flow), Yubico Authenticator can list and delete passkeys stored on the YubiKey:

• Open the app and select Passkeys
• Enter your FIDO2 PIN to unlock
• Select the passkey and click Delete passkey

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

Corbado proved to be a trusted partner. Their hands-on, 24/7 support and on-site assistance enabled a seamless integration into VicRoads' complex systems, offering passkeys to 5 million users.

Passkeys that millions adopt, fast. Start with Corbado's Passkey Observability & Adoption Layer.

Start Free Trial

If you cannot manage credentials (e.g. you have forgotten the PIN and have no recovery path) or you deliberately want to wipe the key's FIDO registrations, the last resort is a FIDO2 reset.

With ykman, the command is:

ykman fido reset

This wipes all FIDO credentials including FIDO U2F credentials and removes the PIN code. The reset is triggered after reinsertion and requires a touch. There is no way to recover those credentials afterward.

Subscribe to our Passkeys Substack for the latest news.

Subscribe

Why does ykman say "command not found" after installation? On macOS this is typically a PATH issue. Homebrew installs to /opt/homebrew (Apple Silicon) or /usr/local (Intel) by default. Add the appropriate brew shellenv line to your shell configuration and restart the terminal. On Windows make sure the YubiKey Manager install directory is in your PATH or launch ykman from its install location.

Why does ykman fido credentials list fail or complain about PIN requirements? Credential management requires that a FIDO2 PIN is set on the key. Set or change the PIN using ykman ("access" commands) or Yubico Authenticator then retry listing/deleting.

Why do I not see anything in the Passkeys list even though I am sure the key is "full"? Make sure you are distinguishing passkeys (discoverable credentials) from other FIDO2 credentials. Non-discoverable credentials (non-resident keys) cannot be listed or managed on the Passkeys page even though they still exist as registrations for specific services. If your issue is specifically "storage full" it should correlate to discoverable credentials (the ones you can list and delete).

Can I do this on Windows or Linux? Yes. The ykman CLI and Yubico Authenticator work on macOS, Windows and Linux. On Windows install via winget install Yubico.YubikeyManager or download the MSI installer from Yubico. On Linux install via pip install yubikey-manager or your distribution's package manager.

Running out of discoverable credential slots on a YubiKey is a common issue, especially for users who register passkeys across many services. The fix is straightforward: use ykman fido credentials list to see what is stored and ykman fido credentials delete to remove credentials you no longer need. For a GUI approach, Yubico Authenticator offers the same functionality with less risk of accidental deletion. If all else fails, ykman fido reset wipes everything - but treat it as the nuclear option. For more context on troubleshooting common passkey errors or understanding how hardware security keys compare, check out our related guides.

Run ykman fido credentials list after installing the ykman CLI via brew install ykman on macOS or winget install Yubico.YubikeyManager on Windows. Add the --csv flag to get more complete, machine-readable output with full credential details. A FIDO2 PIN must already be set on the key for this command to succeed.

Discoverable credentials are stored directly on the YubiKey so the authenticator can surface them without the relying party supplying credential IDs up front, which is why they consume finite on-device storage slots. Non-discoverable credentials exist as registrations for specific services but cannot be listed or managed via passkey tools and do not count toward the slot limit. The 'storage full' error specifically reflects exhausted discoverable credential slots, not non-discoverable registrations.

Yes. Use ykman fido credentials delete <CREDENTIAL_ID_OR_UNIQUE_PREFIX> to remove a single credential identified by a unique substring of its credential ID. Alternatively, open Yubico Authenticator on desktop, navigate to the Passkeys section, unlock with your FIDO2 PIN and delete the specific entry. Only the FIDO2 reset command wipes everything.

On macOS this is a PATH issue: Homebrew installs ykman to /opt/homebrew on Apple Silicon or /usr/local on Intel Macs, so add the appropriate brew shellenv line to your shell config and restart the terminal. On Windows, ensure the YubiKey Manager install directory is included in your PATH or launch ykman directly from its install location.