In this blog post I will show you how to remove credentials from a FIDO2 key (Feitian keys specifically in this case) and some reasons why you might need to do some housekeeping on the FIDO2 devices you own.
- Intended audience
- End-users and admins that have experience using the FIDO2 key in general.
- Required hardware
- Feitian FIDO2 key.
- Operating system
- Windows 10 or 11.
Why bother spending time to remove credentials from a FIDO2 key?
So, why even bother with the cleanup? Some of these devices can hold unlimited credentials?
Long lists of credentials to select from
During your journey with your FIDO2 devices, you might have tested access with multiple credentials on the same web service. And afterward, have to select which of the numerous credentials you wish to access a service with. That might be annoying once you get to a point where those other accounts are no longer needed. And according to the KonMari principle, you should hold your credentials in your hand once in a while and ask yourself if they “spark joy” – if not, then remove those credentials.
Windows login confusion
Some services like passwordless login to Windows might not even let you select which account to use if multiple accounts exist for the same tenant/service. These usually prefer the last credential added to the key. So, in that case, you might still want multiple credentials, but you need to change the order in which they are listed. Well, as far as I know, the only way of changing that order is to delete the credential you want the service to auto-select and then add it again, making it the last added credential to the key, thus being the one that is auto-selected for use.
How to actually remove credentials from a FIDO2 key
The methods differ from vendor to vendor, and some browsers also have key management support, which is semi-universal. Still, it seems to have been removed in some updates, so I will focus on the vendor-specific methods of doing this task.
The Feitian way
Since Feitian was nice enough to send me a key for testing, this guide will focus on using their tool, but the process is more or less the same for all vendors, and they just have different applications to do it.
Note that to remove credentials from a FIDO2 key, you will most likely need to use the vendor’s own application.
Feitian has a simple GUI tool that you can use to enumerate and remove credentials from a FIDO2 key. It is called the FEITIAN SK Manager Tool.
Download FEITIAN SK Manager Tool from their website:
FEITIAN SK Manager Tool User Manual – FIDO Security Keys (ftsafe.com)
NB: There does not seem to be any command-line tools for this.
To remove a specific credential, start the FEITIAN SK Manager Tool and insert the FIDO2 key once prompted to do so (you could also have it pre-inserted).
Now, click on the “Applications” menu item, then “FIDO2” and finally “Enum Credential” in the main window.
After being prompted for the key PIN, The tool will show you the FIDO2 credentials found on the key.
Now, tick the box to the left of the credential you wish to remove and make it so by clicking on the “Delete” button.
That’s it! And really, it should not be more complicated than this.
Now that your key is nice and tidy, and you feel a sense of joy when holding your credentials in the palm of your hand, I hope you will show some love on social media and subscribe to our newsletter ->
If you are curious as an IT Pro about FIDO2 keys, then please read my series on FIDO2 keys