NAME¶
fido2-token
—
find and manage a FIDO 2 authenticator
SYNOPSIS¶
fido2-token |
[-CR ] [-d ]
device |
fido2-token |
-D [-de ]
-i id
device |
fido2-token |
-I [-cd ]
[-k rp_id
-i cred_id]
device |
fido2-token |
-L [-der ]
[-k rp_id] [device] |
fido2-token |
-S [-de ]
[-i template_id
-n template_name]
device |
DESCRIPTION¶
fido2-token
manages a FIDO 2 authenticator.
The options are as follows:
-C
device
- Changes the PIN of device. The user will be prompted
for the current and new PINs.
-D
-i
id
device
- Deletes the resident credential specified by id from
device, where id is the
credential's base64-encoded id. The user will be prompted for the
PIN.
-D
-e
-i
id device
- Deletes the biometric enrollment specified by id
from device, where id is the
enrollment's template base64-encoded id. The user will be prompted for the
PIN.
-I
device
- Retrieves information on device.
-I
-c
device
- Retrieves resident credential metadata from device.
The user will be prompted for the PIN.
-I
-k
rp_id
-i
cred_id
device
- Prints the credential id (base64-encoded) and public key (PEM encoded) of
the resident credential specified by rp_id and
cred_id, where rp_id is a
UTF-8 relying party id, and cred_id is a
base64-encoded credential id. The user will be prompted for the PIN.
-L
- Produces a list of authenticators found by the operating system.
-L
-e
device
- Produces a list of biometric enrollments on device.
The user will be prompted for the PIN.
-L
-r
device
- Produces a list of relying parties with resident credentials on
device. The user will be prompted for the PIN.
-L
-k
rp_id
device
- Produces a list of resident credentials corresponding to relying party
rp_id on device. The user will
be prompted for the PIN.
-R
- Performs a reset on device.
fido2-token
will NOT prompt for confirmation.
-S
- Sets the PIN of device. The user will be prompted
for the PIN.
-S
-e
device
- Performs a new biometric enrollment on device. The
user will be prompted for the PIN.
-S
-e
-i
template_id -n
template_name device
- Sets the friendly name of the biometric enrollment specified by
template_id to template_name
on device, where template_id
is base64-encoded and template_name is a UTF-8
string. The user will be prompted for the PIN.
-V
- Prints version information.
-d
- Causes
fido2-token
to emit debugging output on
stderr.
If a tty is available,
fido2-token
will use it to prompt for PINs.
Otherwise, stdin is used.
fido2-token
exits 0 on success and 1 on
error.
CAVEATS¶
The actual user-flow to perform a reset is outside the scope of the FIDO2
specification, and may therefore vary depending on the authenticator. Yubico
authenticators do not allow resets after 5 seconds from power-up, and expect a
reset to be confirmed by the user through touch within 30 seconds.
An authenticator's path may contain spaces.