What a reset does
Each applet resets independently — wiping the FIDO function doesn't touch OATH, and so on. In every case the point is the same: keys and credentials are destroyed, not recoverable. Because the secrets only ever lived on the device, there is no backup to restore from unless you made one.
- FIDO2 — erases all resident credentials/passkeys and clears the PIN. Any account relying solely on this key for sign-in is locked out until you register a replacement. FIDO2 →
- OATH — removes all stored TOTP/HOTP seeds. You'll need each service's setup secret/QR again. OATH →
- OpenPGP — destroys the on-card sign/encrypt/auth keys and resets PINs. Anything encrypted to the card's encryption key becomes undecryptable. OpenPGP →
- PIV — clears slots, certificates, PIN/PUK, and management key. PIV →
- Token2 Molto2 — factory reset wipes loaded slots and customer-key state. Molto2 →
Before you reset — the checklist
- Have another way in. A second registered key, or current recovery codes, for every account this key unlocks. Verify it works before wiping.
- Re-derive what you'll re-add. Make sure you can re-enroll OATH seeds and regenerate or re-import OpenPGP/PIV keys.
- Decryption keys are special. Data encrypted to an OpenPGP encryption key or PIV key-management slot can't be read after the key is gone — decrypt or re-key it first.
- Then reset, set a fresh PIN, and re-register before relying on it.
A reset can't be reversed and the destroyed keys can't be regenerated from the device. When in doubt, stop and confirm your recovery path first.
How keyroost treats resets
Destructive operations always resolve to an explicit target, never
a default device — so a reset can't land on the wrong key by accident. Reset support
spans the FIDO, OATH, OpenPGP, PIV, and Molto2 applets; read-only inspection
(list, fido-info, piv status) never changes
anything and never needs a PIN.