How to Check Results in YubiKey: Verify Certificates, OTPs, FIDO2, and Smart Card Status

Written by: Abigail Ivy
Published on:

What this article covers

If you need to know how to check results in YubiKey, the answer depends on which YubiKey function you are using: one-time passwords, FIDO2/WebAuthn, PIV smart card, or OpenPGP.

This guide explains the practical ways to verify that a YubiKey is working, what success looks like in each mode, and how to spot common errors before they become login problems.

Understanding what “results” means on a YubiKey

Unlike a typical app that shows a visible status screen, a YubiKey confirms results indirectly through host software, browser prompts, authentication logs, or management tools.

In other words, you usually do not “check results” on the key itself; you verify the outcome in the app, operating system, identity provider, or security console connected to it.

  • OTP: The server accepts or rejects the generated code.
  • FIDO2/WebAuthn: The browser or website confirms successful authentication.
  • PIV smart card: The system validates certificate-based login or signing.
  • OpenPGP: The signing or decryption tool reports success.

How to check results in YubiKey for OTP authentication

For Yubico OTP or OATH-based use, the most direct result appears after the code is entered into a service.

If the code is accepted, the website or application signs you in; if it is not, you will see an error such as invalid code, expired code, or device not recognized.

Check OTP success in a browser or app

  1. Place the cursor in the password or token field.
  2. Tap the YubiKey to generate the one-time password.
  3. Submit the form.
  4. Look for a successful sign-in or a specific failure message.

If the service uses challenge-response or time-based one-time passwords, check whether the device clock and the enrolled secret are correct.

A mismatch often causes repeated failures even when the key is working normally.

What indicates a valid OTP result?

  • The login completes without additional prompts.
  • The service shows a successful authentication event.
  • Admin logs record a verified OTP transaction.

How to check results in YubiKey for FIDO2 and WebAuthn

FIDO2 and WebAuthn are the most common YubiKey login methods for modern services.

To check results in YubiKey for these flows, watch the browser prompt and the identity provider’s response after you tap the key and confirm presence or PIN entry.

What a successful FIDO2 check looks like

  • The browser indicates that the security key was recognized.
  • PIN entry, if required, is accepted.
  • The website completes login or registration.
  • Your account security settings show the key as enrolled.

In platforms such as Google Workspace, Microsoft Entra ID, GitHub, or Okta, you can often confirm success in account security pages or sign-in logs.

These logs may show a successful hardware-backed authentication event, the authenticator type, and the time of use.

How to verify registration versus login

Registration means the YubiKey was added to an account as a trusted authenticator.

Login means the key was used to prove identity.

Both are “results,” but they are checked in different places:

  • Registration result: Confirm in the account security or passkey management page.
  • Login result: Confirm in the browser success message or authentication log.

How to check results in YubiKey for PIV smart card functions

PIV mode is used for certificate-based authentication, digital signatures, and email encryption.

To check results in YubiKey for PIV, you usually inspect the certificate store, use management tools, or review the application that depends on the certificate.

Use YubiKey Manager or system tools

YubiKey Manager can show whether the PIV application is present and whether the device has been configured with management key settings, PINs, and certificates.

On Windows, certificate management tools can confirm whether the smart card certificate is visible to the system.

On macOS and Linux, smart card utilities and certificate viewers can provide similar verification.

Successful PIV results often appear as:

  • The certificate is listed in the smart card certificate store.
  • The login prompt accepts the PIN.
  • The signed document validates properly.
  • Email clients recognize the certificate for S/MIME.

Check certificate status carefully

If a certificate is expired, missing, or not linked to the correct private key, authentication may fail even if the YubiKey itself is detected.

Also verify whether the certificate chain is trusted by your domain controller, VPN, or enterprise application.

How to check results in YubiKey for OpenPGP

OpenPGP on a YubiKey is often used for email signing, SSH authentication, and file encryption.

The result is checked in the application that consumes the key, such as GnuPG, an email client, or an SSH session.

Signs that OpenPGP is working

  • GnuPG reports a successful signature creation.
  • Email clients show a valid signed message.
  • SSH authentication succeeds with the public key on the YubiKey.
  • Decryption completes without key errors.

If you are troubleshooting, confirm that the correct OpenPGP key is loaded on the device, the PIN is correct, and the expected subkeys are present.

A key may appear usable while still missing signing or authentication capability.

How to check results using YubiKey Manager

YubiKey Manager is one of the most useful tools for verifying device status.

It helps confirm firmware-related details, applications on the key, and some configuration settings.

While it does not replace app-level authentication logs, it gives you a reliable snapshot of what the key can do.

  • Detects the connected YubiKey model.
  • Shows supported applications such as OTP, FIDO2, PIV, and OpenPGP.
  • Helps confirm whether the device is configured as expected.
  • Supports basic management and verification tasks.

For deeper testing, use the Yubico Authenticator app for OATH codes, browser-based FIDO2 tests, or operating system smart card tools for PIV validation.

Where to find authentication logs and status reports

If your goal is to audit how to check results in YubiKey across an organization, logs are often the best source of truth.

Identity providers, VPNs, Windows Event Viewer, macOS logs, Linux authentication logs, and cloud security dashboards can show whether a YubiKey-based login succeeded or failed.

Useful places to review

  • Identity provider logs: Microsoft Entra ID, Okta, Duo, Google Admin console.
  • Operating system logs: Windows Event Viewer, macOS Unified Logs, Linux auth logs.
  • Application logs: VPN, remote access, email, or code signing tools.
  • Browser prompts: WebAuthn success or error messages during login.

Look for timestamps, user account names, authenticator type, and error codes.

This information helps separate device problems from policy, enrollment, or network issues.

Common error messages and what they mean

When checking YubiKey results, error messages are often the fastest way to identify what went wrong.

Some of the most common issues are simple to diagnose once you know what to look for.

  • Invalid code: The OTP was rejected, often due to timing or enrollment mismatch.
  • Wrong PIN: The entered PIN does not match the stored PIN for FIDO2, PIV, or OpenPGP.
  • Key not registered: The website or service does not have the YubiKey enrolled.
  • Certificate not trusted: The PIV certificate chain is incomplete or untrusted.
  • Permission denied: The app or system cannot access the key or required credential.

Best practices for reliable verification

To make result-checking easier and more consistent, keep your YubiKey setup documented and tested across the services that depend on it.

This is especially important if the same key is used for passwordless login, MFA, SSH, and certificate-based workflows.

  • Test the key after enrollment, not just during setup.
  • Confirm the key works on more than one device or browser.
  • Keep recovery codes and backup authentication methods available.
  • Update browser, operating system, and security software regularly.
  • Record which YubiKey applications are enabled and where they are used.

Using these checks makes it much easier to determine whether the YubiKey, the service, or the surrounding configuration is responsible when authentication fails.