fido2-token - Man Page

find and manage a FIDO 2 authenticator

Synopsis

fido2-token-C [-d device
fido2-token-D [-d] -i cred_id device
fido2-token-D -b [-d] -k key_path device
fido2-token-D -b [-d] -n rp_id [-i cred_id] device
fido2-token-D -e [-d] -i template_id device
fido2-token-G -b [-d] -k key_path blob_path device
fido2-token-G -b [-d] -n rp_id [-i cred_id] blob_path device
fido2-token-I [-cd] [-k rp_id -i cred_id] device
fido2-token-L [-bder] [-k rp_id] [device]
fido2-token-R [-d device
fido2-token-S [-adeu device
fido2-token-S [-d] -i template_id -n template_name
fido2-token-S [-d] -l pin_length device
fido2-token-S -b [-d] -k key_path blob_path device
fido2-token-S -b [-d] -n rp_id [-i cred_id] blob_path device
fido2-token-V

Description

fido2-token manages a FIDO 2 authenticator.

The options are as follows:

-C device

Changes the PIN of device. The user will be prompted for the current and new PINs.

-D -i id device

Deletes the resident credential specified by id from device, where id is the credential's base64-encoded id. The user will be prompted for the PIN.

-D -b -k key_path device

Deletes a “largeBlob” encrypted with key_path from device, where key_path must hold the blob's base64-encoded encryption key. A PIN or equivalent user-verification gesture is required.

-D -b -n rp_id [-i cred_id] device

Deletes a “largeBlob” corresponding to rp_id from device. If rp_id has multiple credentials enrolled on device, the credential ID must be specified using -i cred_id, where cred_id is a base64-encoded blob. A PIN or equivalent user-verification gesture is required.

-D -e -i id device

Deletes the biometric enrollment specified by id from device, where id is the enrollment's template base64-encoded id. The user will be prompted for the PIN.

-D -u device

Disables the FIDO 2.1 “user verification always” feature on device.

-G -b -k key_path blob_path device

Gets a FIDO 2.1 “largeBlob” encrypted with key_path from device, where key_path must hold the blob's base64-encoded encryption key. The blob is written to blob_path. A PIN or equivalent user-verification gesture is required.

-G -b -n rp_id [-i cred_id] blob_path device

Gets a FIDO 2.1 “largeBlob” associated with rp_id from device. If rp_id has multiple credentials enrolled on device, the credential ID must be specified using -i cred_id, where cred_id is a base64-encoded blob. The blob is written to blob_path. A PIN or equivalent user-verification gesture is required.

-I device

Retrieves information on device.

-I -c device

Retrieves resident credential metadata from device. The user will be prompted for the PIN.

-I -k rp_id -i cred_id device

Prints the credential id (base64-encoded) and public key (PEM encoded) of the resident credential specified by rp_id and cred_id, where rp_id is a UTF-8 relying party id, and cred_id is a base64-encoded credential id. The user will be prompted for the PIN.

-L

Produces a list of authenticators found by the operating system.

-L -b device

Produces a list of FIDO 2.1 “largeBlobs” on device. A PIN or equivalent user-verification gesture is required.

-L -e device

Produces a list of biometric enrollments on device. The user will be prompted for the PIN.

-L -r device

Produces a list of relying parties with resident credentials on device. The user will be prompted for the PIN.

-L -k rp_id device

Produces a list of resident credentials corresponding to relying party rp_id on device. The user will be prompted for the PIN.

-R

Performs a reset on device. fido2-token will NOT prompt for confirmation.

-S

Sets the PIN of device. The user will be prompted for the PIN.

-S -a device

Enables FIDO 2.1 Enterprise Attestation on device.

-S -b -k key_path blob_path device

Sets blob_path as a FIDO 2.1 “largeBlob” encrypted with key_path on device, where blob_path holds the blob's plaintext, and key_path the blob's base64-encoded encryption. A PIN or equivalent user-verification gesture is required.

-S -b -n rp_id [-i cred_id] blob_path device

Sets blob_path as a FIDO 2.1 “largeBlob” associated with rp_id on device. If rp_id has multiple credentials enrolled on device, the credential ID must be specified using -i cred_id, where cred_id is a base64-encoded blob. A PIN or equivalent user-verification gesture is required.

-S -e device

Performs a new biometric enrollment on device. The user will be prompted for the PIN.

-S -e -i template_id -n template_name device

Sets the friendly name of the biometric enrollment specified by template_id to template_name on device, where template_id is base64-encoded and template_name is a UTF-8 string. The user will be prompted for the PIN.

-S -f device

Forces a PIN change on device. The user will be prompted for the PIN.

-S -l pin_length device

Sets the minimum PIN length of device to pin_length. The user will be prompted for the PIN.

-S -u device

Enables the FIDO 2.1 “user verification always” feature on device.

-V

Prints version information.

-d

Causes fido2-token to emit debugging output on stderr.

If a tty is available, fido2-token will use it to prompt for PINs. Otherwise, stdin is used.

fido2-token exits 0 on success and 1 on error.

See Also

fido2-assert(1), fido2-cred(1)

Caveats

The actual user-flow to perform a reset is outside the scope of the FIDO2 specification, and may therefore vary depending on the authenticator. Yubico authenticators do not allow resets after 5 seconds from power-up, and expect a reset to be confirmed by the user through touch within 30 seconds.

An authenticator's path may contain spaces.

Resident credentials are called “discoverable credentials” in FIDO2.1.

Whether the FIDO 2.1 “user verification always” feature is activated or deactivated after an authenticator reset is vendor-specific.

Referenced By

fido2-assert(1), fido2-cred(1).

September 13, 2019