MSEndpointMgr
Home » Identity » How to remove credentials from a FIDO2 key

How to remove credentials from a FIDO2 key

In this blog post, I will show you how to remove credentials stored on a FIDO2 key (Feitian) and some reasons why you might need to do some housekeeping on the FIDO2 devices you own.

  • Intended audience
    • End-users and admins that have experience using the FIDO2 key in general.
  • Required hardware
    • Feitian FIDO2 key.
  • Operating system
    • Windows 10 or 11.
    • MacOS

Why bother spending time to remove credentials from a FIDO2 key?

So, why even bother with the cleanup? Some of these devices can hold unlimited credentials?

Long lists of credentials to select from

During your journey with your FIDO2 devices, you might have tested access with multiple credentials on the same web service. And afterward, have to select which of the numerous credentials you wish to access a service with. That might be annoying once you get to a point where those other accounts are no longer needed. And according to the KonMari principle, you should hold your credentials in your hand once in a while and ask yourself if they “spark joy” – if not, then remove those credentials.

Windows login confusion

Some services like passwordless login to Windows might not even let you select which account to use if multiple accounts exist for the same tenant/service. These usually prefer the last credential added to the key. So, in that case, you might still want multiple credentials, but you need to change the order in which they are listed. Well, as far as I know, the only way of changing that order is to delete the credential you want the service to auto-select and then add it again, making it the last added credential to the key, thus being the one that is auto-selected for use.

How to actually remove credentials from a FIDO2 key

The methods differ from vendor to vendor, and some browsers also have key management support, which is semi-universal. Still, it seems to have been removed in some updates, so I will focus on the vendor-specific methods of doing this task.

The Feitian way

Since Feitian was nice enough to send me a key for testing, this guide will focus on using their tool, but the process is more or less the same for all vendors, and they just have different applications to do it.

Note that to remove credentials from a FIDO2 key, you will most likely need to use the vendor’s own application.

Feitian has a simple GUI tool that you can use to enumerate and remove credentials from a FIDO2 key. It is called the FEITIAN SK Manager Tool.

Download FEITIAN SK Manager Tool from their website:
FEITIAN SK Manager Tool User Manual – FIDO Security Keys (ftsafe.com)

NB: There does not seem to be any command-line tools for this.

To remove a specific credential, start the FEITIAN SK Manager Tool and insert the FIDO2 key once prompted to do so (you could also have it pre-inserted).

Now, click on the “Applications” menu item, then “FIDO2” and finally “Enum Credential” in the main window.

After being prompted for the key PIN, The tool will show you the FIDO2 credentials found on the key.

Now, tick the box to the left of the credential you wish to remove and make it so by clicking on the “Delete” button.

remove credentials from a FIDO2 key
remove credentials from a FIDO2 key

That’s it! And really, it should not be more complicated than this.

Final Words

Now that your key is nice and tidy, and you feel a sense of joy when holding your credentials in the palm of your hand, I hope you will show some love on social media and subscribe to our newsletter ->

(785)

Michael Mardahl

Michael works as a Microsoft Certified Cloud Architect with APENTO in Denmark. He specializes in customer journeys from classic Infrastructure to Cloud consumption with a strong focus on security. And has been working in the IT industry for more than 20 years, where he started as a Network Administrator in the logistics industry. He has gained experience through a broad range of IT projects throughout the years and was very early to embrace and share his cloud technology passion. When not at work, Michael enjoys the value of spending time with family and friends and BLOG's passionately about Microsoft cloud technology whenever he has time to spare - this has earned him the title of Microsoft Most Valuable Professional (MVP) in the Enterprise Mobility category.

Add comment

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.