NAME¶

fido2-token — find and manage a FIDO 2 authenticator

SYNOPSIS¶

fido2-token [-CR] [-d] device

fido2-token -D [-de] -i id device

fido2-token -I [-cd] [-k rp_id -i cred_id] device

fido2-token -L [-der] [-k rp_id] [device]

fido2-token -S [-de] [-i template_id -n template_name] device

fido2-token -V

DESCRIPTION¶

fido2-token manages a FIDO 2 authenticator.

The options are as follows:

-C device: Changes the PIN of device. The user will be prompted for the current and new PINs.
-D -i id device: Deletes the resident credential specified by id from device, where id is the credential's base64-encoded id. The user will be prompted for the PIN.
-D -e -i id device: Deletes the biometric enrollment specified by id from device, where id is the enrollment's template base64-encoded id. The user will be prompted for the PIN.
-I device: Retrieves information on device.
-I -c device: Retrieves resident credential metadata from device. The user will be prompted for the PIN.
-I -k rp_id -i cred_id device: Prints the credential id (base64-encoded) and public key (PEM encoded) of the resident credential specified by rp_id and cred_id, where rp_id is a UTF-8 relying party id, and cred_id is a base64-encoded credential id. The user will be prompted for the PIN.
-L: Produces a list of authenticators found by the operating system.
-L -e device: Produces a list of biometric enrollments on device. The user will be prompted for the PIN.
-L -r device: Produces a list of relying parties with resident credentials on device. The user will be prompted for the PIN.
-L -k rp_id device: Produces a list of resident credentials corresponding to relying party rp_id on device. The user will be prompted for the PIN.
-R: Performs a reset on device. fido2-token will NOT prompt for confirmation.
-S: Sets the PIN of device. The user will be prompted for the PIN.
-S -e device: Performs a new biometric enrollment on device. The user will be prompted for the PIN.
-S -e -i template_id -n template_name device: Sets the friendly name of the biometric enrollment specified by template_id to template_name on device, where template_id is base64-encoded and template_name is a UTF-8 string. The user will be prompted for the PIN.
-V: Prints version information.
-d: Causes fido2-token to emit debugging output on stderr.

If a tty is available, fido2-token will use it to prompt for PINs. Otherwise, stdin is used.

fido2-token exits 0 on success and 1 on error.

CAVEATS¶

The actual user-flow to perform a reset is outside the scope of the FIDO2 specification, and may therefore vary depending on the authenticator. Yubico authenticators do not allow resets after 5 seconds from power-up, and expect a reset to be confirmed by the user through touch within 30 seconds.

An authenticator's path may contain spaces.

Resident credentials are called “discoverable credentials” in FIDO2.1.

September 13, 2019

Debian

Source file:	fido2-token.1.en.gz (from fido2-tools 1.6.0-2)
Source last updated:	2021-01-16T22:46:13Z
Converted to HTML:	2023-03-23T16:07:45Z

NAME¶

SYNOPSIS¶

DESCRIPTION¶

SEE ALSO¶

CAVEATS¶