You can use the Yubikey manager CLI (ykman) with the ykman fido credentials list command to list the credentials stored on the Apex / FlexSecure. You need to specify the reader you use using “–reader”.
General info, note that FIDO2 is shown as not available, but that is incorrect, it works regardless:
❯ ykman --reader "NFC NCI 00 00" info
Device type: YubiKey 4
Serial number: 279773097
Firmware version: 4.0.0
NFC transport is enabled
Applications USB NFC
Yubico OTP Disabled Enabled
FIDO U2F Disabled Enabled
FIDO2 Not available Not available
OATH Disabled Enabled
PIV Disabled Enabled
OpenPGP Disabled Enabled
YubiHSM Auth Not available Not available
Check out FIDO options, fingerprint stuff and config is not supported by our Applet. Reset must be done by re-installing via Fidesmo instead.
❯ ykman --reader "NFC NCI 00 00" fido
Usage: ykman fido [OPTIONS] COMMAND [ARGS]...
Manage the FIDO applications.
Examples:
Reset the FIDO (FIDO2 and U2F) applications:
$ ykman fido reset
Change the FIDO2 PIN from 123456 to 654321:
$ ykman fido access change-pin --pin 123456 --new-pin 654321
Options:
-h, --help show this message and exit
Commands:
info display general status of the FIDO2 application
reset reset all FIDO applications
access manage the PIN for FIDO
config manage FIDO configuration
credentials manage discoverable (resident) credentials
fingerprints manage fingerprints
Query info about the FIDO applet:
❯ ykman --reader "NFC NCI 00 00" fido info
PIN: 8 attempt(s) remaining
Minimum PIN length: 4
Always Require UV: Off
Credential storage remaining: 22
Check out credential operations:
❯ ykman --reader "NFC NCI 00 00" fido credentials
Usage: ykman fido credentials [OPTIONS] COMMAND [ARGS]...
Manage discoverable (resident) credentials.
This command lets you manage credentials stored on your YubiKey. Credential management is only available when a FIDO PIN is set on the YubiKey.
Examples:
List credentials (providing PIN via argument):
$ ykman fido credentials list --pin 123456
Delete a credential (ID shown in "list" output, PIN will be prompted for):
$ ykman fido credentials delete da7fdc
Options:
-h, --help show this message and exit
Commands:
delete delete a credential
list list credentials
List existing credentials:
❯ ykman --reader "NFC NCI 00 00" fido credentials list
Enter your PIN:
Credential ID RP ID Username Display name
f██████9... g█████.com StarGate01
d██████9... g█████.com c████████████████████e
2██████2... v█████████████n.com c████████████████████e
f██████1... w█████████.com c████████████████████e
You can the use the ykman fido credentials delete command to delete a specific credential by specifying its ID.