--- url: 'https://www.corbado.com/blog/delete-passkey-from-yubikey' title: 'How to delete a Passkey from a YubiKey?' description: 'Learn how to delete passkeys / discoverable credentials from a YubiKey using ykman CLI or Yubico Authenticator on macOS / Windows. Fix "no storage" errors.' lang: 'en' author: 'Vincent' date: '2026-02-17T16:09:22.020Z' lastModified: '2026-03-26T07:01:12.573Z' keywords: 'delete passkey yubikey, yubikey no storage, ykman fido credentials, yubikey passkey full, delete discoverable credential, yubikey fido2 reset' category: 'Passkeys User Tips' --- # How to delete a Passkey from a YubiKey? ## How to delete a Passkey from a YubiKey? **Executive summary:** If your browser says your [YubiKey](https://www.corbado.com/glossary/yubikey) has "not enough space for any more account" while adding a new passkey, you have likely filled the key's **FIDO2 discoverable credential** storage (resident credentials). Hardware passkeys are **stored on the key** and therefore **capacity-limited**. You can free space by listing and deleting resident credentials with **ykman** (CLI) or via **Yubico Authenticator** (GUI) - with **FIDO2 reset** as an irreversible last resort. ## Key Facts - **Discoverable credential** capacity on YubiKey varies by firmware: newer versions support up to 100 passkeys while some older hardware/firmware combinations cap at 25. - The 'not enough space' or 'security key is full' error means **discoverable credential slots** are exhausted: delete at least one stored passkey before enrolling another. - **FIDO2 PIN** is required to list or delete discoverable credentials: set it via ykman or Yubico Authenticator before attempting any credential management. - The **ykman CLI** (`ykman fido credentials list` and `ykman fido credentials delete`) provides the fastest cross-platform path, working on macOS, Windows and Linux. - A **FIDO2 reset** via `ykman fido reset` permanently wipes all FIDO credentials including U2F registrations and removes the PIN with no recovery option. ## 1. Why you hit "not enough Space anymore" when adding a Passkey The failure mode typically looks like this: you try to create a new passkey on a [YubiKey](https://www.corbado.com/glossary/yubikey), the browser asks for your **FIDO2 PIN** and a touch and then you get an error along the lines of **"not enough space" / "security key is full" / "no storage anymore."** This is almost always the [YubiKey](https://www.corbado.com/glossary/yubikey) telling the browser it cannot store another **discoverable credential (resident key)**. ![your device cant be used with this site](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/your_device_cant_be_used_with_this_site_452c59acf5.png) Why it happens: - A "passkey" (in the strict WebAuthn sense) is fundamentally a **discoverable credential** - credentials that can be used in flows where the [relying party](https://www.corbado.com/glossary/relying-party) does **not** provide credential IDs up front (so the [authenticator](https://www.corbado.com/glossary/authenticator) must store enough locally to be discoverable). - Discoverable credentials are **stored on the authenticator** (your YubiKey), so **hardware security keys have finite storage** for them. - YubiKey capacity depends on model and firmware: newer YubiKey firmware lines support **up to 100 discoverable credentials (passkeys)** while earlier limits include **25 discoverable credentials** on some hardware/firmware combinations. The practical consequence is simple: if you are out of [discoverable-credential](https://www.corbado.com/glossary/discoverable-credential) slots, you must **delete at least one stored passkey** (or perform a reset) before you can add another. ## 2. Discoverable vs. non-discoverable Credentials To better understand the distinction between discoverable credentials (resident keys) and non-discoverable credentials (non-resident keys), we recommend to read our dedicated article on WebAuthn resident keys. ## 3. Step-by-step: install ykman and delete a Discoverable Credential This is the shortest path to free up YubiKey passkey storage using the CLI. The steps work on **macOS, Windows and Linux**. A quick prerequisite that matters in practice: **managing resident keys / discoverable credentials requires a FIDO2 PIN.** If you never set one, you will need to set it first (either at registration time or via tooling). ### 3.1 Install ykman **macOS (Homebrew):** ```bash brew install ykman ``` **Windows (winget or MSI):** ```bash winget install Yubico.YubikeyManager ``` Alternatively, download the [YubiKey Manager installer](https://www.yubico.com/support/download/yubikey-manager/) from Yubico's website. On Windows the `ykman` CLI is bundled with YubiKey Manager and available from the install directory or via PATH after installation. **Linux (pip or package manager):** ```bash pip install yubikey-manager ``` Verify that ykman runs and can see your key: ```bash ykman --version ykman list ``` `ykman list` is the standard "is my key visible?" check (it can also list serials with `--serials`). ![ykman list](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/ykman_list_b0f4c52644.png) ### 3.2 List Discoverable Credentials stored on the YubiKey List the discoverable credentials (passkeys) stored on the key: ```bash ykman fido credentials list ``` This command is specifically for **discoverable credentials** stored on the YubiKey. Credential management requires a PIN set on the key. If you suspect the output is truncated or you want full fields in a machine-friendly format, use the CSV option: ```bash ykman fido credentials list --csv ``` The `--csv` flag returns more complete information in CSV format. ![ykman fido credentials list](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/ykman_fido_credentials_list_6bd085dc2e.png) ### 3.3 Delete a Discoverable Credential to free Storage Once you identify a credential you no longer need, delete it by providing its [credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle) (or a unique substring/prefix): ```bash ykman fido credentials delete ``` Two implementation details matter: - `ykman fido credentials delete` expects **a unique substring match** of the credential ID (so you typically do not need to paste the full value). The characters before `...` are fine - The confirmation requires the PIN that you've set for the unlocking / using the Yubikey in general. - The `--force` flag skips confirmation prompts (useful in scripts but riskier interactively). ![ykman fido credentials delete](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/ykman_fido_credentials_delete_a155fd9b89.png) ### 3.4 GUI Alternative with Yubico Authenticator If you prefer a GUI (or want a safer "click what you mean" flow), **[Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)** can list and [delete passkeys](https://www.corbado.com/blog/webauthn-signal-api) stored on the YubiKey: - Open the app and select **Passkeys** - Enter your **FIDO2 PIN** to unlock - Select the passkey and click **Delete passkey** ### 3.5 Fallback: FIDO2 Reset If you cannot manage credentials (e.g. you have forgotten the PIN and have no recovery path) or you deliberately want to wipe the key's FIDO registrations, the last resort is a **FIDO2 reset**. With ykman, the command is: ```bash ykman fido reset ``` This **wipes all FIDO credentials** including **FIDO U2F credentials** and **removes the PIN code**. The reset is triggered after reinsertion and requires a touch. There is **no way to recover** those credentials afterward. ## 4. CLI vs. GUI Comparison | Method | Pros | Cons | Commands / Steps | | -------------------------- | ------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ykman (CLI) | Fastest for power users; scriptable; full details via `--csv`; delete by unique prefix | Requires terminal comfort; easy to delete the wrong credential if not careful; requires PIN | `brew install ykman` (macOS) or `winget install Yubico.YubikeyManager` (Windows) then `ykman fido credentials list [--csv]` then `ykman fido credentials delete ` | | Yubico Authenticator (GUI) | Safest for most users; shows passkey details (RP ID, user, credential ID); guided deletion | Passkey management only on Desktop/Android; still requires FIDO2 PIN; deletion is permanent for that login | Open app then Passkeys then Unlock (PIN) then select passkey then Delete | ## 5. Troubleshooting FAQ **Why does `ykman` say "command not found" after installation?** On macOS this is typically a PATH issue. Homebrew installs to **`/opt/homebrew` (Apple Silicon)** or **`/usr/local` (Intel)** by default. Add the appropriate `brew shellenv` line to your shell configuration and restart the terminal. On Windows make sure the YubiKey Manager install directory is in your PATH or launch `ykman` from its install location. **Why does `ykman fido credentials list` fail or complain about PIN requirements?** Credential management requires that a **FIDO2 PIN is set** on the key. Set or change the PIN using ykman ("access" commands) or Yubico [Authenticator](https://www.corbado.com/glossary/authenticator) then retry listing/deleting. **Why do I not see anything in the Passkeys list even though I am sure the key is "full"?** Make sure you are distinguishing **passkeys (discoverable credentials)** from other [FIDO2](https://www.corbado.com/glossary/fido2) credentials. **Non-discoverable credentials (non-resident keys) cannot be listed or managed on the Passkeys page** even though they still exist as registrations for specific services. If your issue is specifically "storage full" it should correlate to discoverable credentials (the ones you _can_ list and delete). **Can I do this on Windows or Linux?** Yes. The `ykman` CLI and Yubico [Authenticator](https://www.corbado.com/glossary/authenticator) work on macOS, Windows and Linux. On Windows install via `winget install Yubico.YubikeyManager` or download the [MSI installer from Yubico](https://www.yubico.com/support/download/yubikey-manager/). On Linux install via `pip install yubikey-manager` or your distribution's package manager. ## 6. Conclusion Running out of [discoverable credential](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) slots on a YubiKey is a common issue, especially for users who register passkeys across many services. The fix is straightforward: use `ykman fido credentials list` to see what is stored and `ykman fido credentials delete` to remove credentials you no longer need. For a GUI approach, [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/) offers the same functionality with less risk of accidental deletion. If all else fails, `ykman fido reset` wipes everything - but treat it as the nuclear option. For more context on [troubleshooting](https://www.corbado.com/blog/passkey-troubleshooting-solutions) common passkey errors or understanding how [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) compare, check out our related guides. ## Frequently Asked Questions ### How do I see exactly which passkeys are stored on my YubiKey before I delete anything? Run `ykman fido credentials list` after installing the ykman CLI via `brew install ykman` on macOS or `winget install Yubico.YubikeyManager` on Windows. Add the `--csv` flag to get more complete, machine-readable output with full credential details. A FIDO2 PIN must already be set on the key for this command to succeed. ### What is the difference between discoverable and non-discoverable credentials on a YubiKey, and which ones cause the 'storage full' error? Discoverable credentials are stored directly on the YubiKey so the authenticator can surface them without the relying party supplying credential IDs up front, which is why they consume finite on-device storage slots. Non-discoverable credentials exist as registrations for specific services but cannot be listed or managed via passkey tools and do not count toward the slot limit. The 'storage full' error specifically reflects exhausted discoverable credential slots, not non-discoverable registrations. ### Can I delete just one passkey from my YubiKey without wiping the whole device? Yes. Use `ykman fido credentials delete ` to remove a single credential identified by a unique substring of its credential ID. Alternatively, open Yubico Authenticator on desktop, navigate to the Passkeys section, unlock with your FIDO2 PIN and delete the specific entry. Only the FIDO2 reset command wipes everything. ### Why does ykman say 'command not found' after I installed it on macOS or Windows? On macOS this is a PATH issue: Homebrew installs ykman to `/opt/homebrew` on Apple Silicon or `/usr/local` on Intel Macs, so add the appropriate `brew shellenv` line to your shell config and restart the terminal. On Windows, ensure the YubiKey Manager install directory is included in your PATH or launch ykman directly from its install location.