NAME¶
fido2-token —
find and manage a FIDO 2 authenticator
SYNOPSIS¶
fido2-token |
[-CR] [-d]
device |
fido2-token |
-D [-de]
-i id
device |
fido2-token |
-I [-cd]
[-k rp_id
-i cred_id]
device |
fido2-token |
-L [-der]
[-k rp_id] [device] |
fido2-token |
-S [-de]
[-i template_id
-n template_name]
device |
DESCRIPTION¶
fido2-token manages a FIDO 2 authenticator.
The options are as follows:
-C
device- Changes the PIN of device. The user will be prompted
for the current and new PINs.
-D
-i id
device- Deletes the resident credential specified by id from
device, where id is the
credential's base64-encoded id. The user will be prompted for the
PIN.
-D
-e -i
id device- Deletes the biometric enrollment specified by id
from device, where id is the
enrollment's template base64-encoded id. The user will be prompted for the
PIN.
-I
device- Retrieves information on device.
-I
-c device- Retrieves resident credential metadata from device.
The user will be prompted for the PIN.
-I
-k rp_id
-i cred_id
device- Prints the credential id (base64-encoded) and public key (PEM encoded) of
the resident credential specified by rp_id and
cred_id, where rp_id is a
UTF-8 relying party id, and cred_id is a
base64-encoded credential id. The user will be prompted for the PIN.
-L- Produces a list of authenticators found by the operating system.
-L
-e device- Produces a list of biometric enrollments on device.
The user will be prompted for the PIN.
-L
-r device- Produces a list of relying parties with resident credentials on
device. The user will be prompted for the PIN.
-L
-k rp_id
device- Produces a list of resident credentials corresponding to relying party
rp_id on device. The user will
be prompted for the PIN.
-R- Performs a reset on device.
fido2-token will NOT prompt for confirmation.
-S- Sets the PIN of device. The user will be prompted
for the PIN.
-S
-e device- Performs a new biometric enrollment on device. The
user will be prompted for the PIN.
-S
-e -i
template_id -n
template_name device- Sets the friendly name of the biometric enrollment specified by
template_id to template_name
on device, where template_id
is base64-encoded and template_name is a UTF-8
string. The user will be prompted for the PIN.
-V- Prints version information.
-d- Causes
fido2-token to emit debugging output on
stderr.
If a tty is available,
fido2-token will use it to prompt for PINs.
Otherwise, stdin is used.
fido2-token exits 0 on success and 1 on
error.
CAVEATS¶
The actual user-flow to perform a reset is outside the scope of the FIDO2
specification, and may therefore vary depending on the authenticator. Yubico
authenticators do not allow resets after 5 seconds from power-up, and expect a
reset to be confirmed by the user through touch within 30 seconds.
An authenticator's path may contain spaces.
