1FIDO2-TOKEN(1)            BSD General Commands Manual           FIDO2-TOKEN(1)
2

NAME

4     fido2-token — find and manage a FIDO 2 authenticator
5

SYNOPSIS

7     fido2-token [-CR] [-d] device
8     fido2-token -D [-de] -i id device
9     fido2-token -I [-cd] [-k rp_id -i cred_id] device
10     fido2-token -L [-der] [-k rp_id] [device]
11     fido2-token -S [-de] [-i template_id -n template_name] device
12     fido2-token -V
13

DESCRIPTION

15     fido2-token manages a FIDO 2 authenticator.
16
17     The options are as follows:
18
19     -C device
20             Changes the PIN of device.  The user will be prompted for the
21             current and new PINs.
22
23     -D -i id device
24             Deletes the resident credential specified by id from device,
25             where id is the credential's base64-encoded id.  The user will be
26             prompted for the PIN.
27
28     -D -e -i id device
29             Deletes the biometric enrollment specified by id from device,
30             where id is the enrollment's template base64-encoded id.  The
31             user will be prompted for the PIN.
32
33     -I device
34             Retrieves information on device.
35
36     -I -c device
37             Retrieves resident credential metadata from device.  The user
38             will be prompted for the PIN.
39
40     -I -k rp_id -i cred_id device
41             Prints the credential id (base64-encoded) and public key (PEM
42             encoded) of the resident credential specified by rp_id and
43             cred_id, where rp_id is a UTF-8 relying party id, and cred_id is
44             a base64-encoded credential id.  The user will be prompted for
45             the PIN.
46
47     -L      Produces a list of authenticators found by the operating system.
48
49     -L -e device
50             Produces a list of biometric enrollments on device.  The user
51             will be prompted for the PIN.
52
53     -L -r device
54             Produces a list of relying parties with resident credentials on
55             device.  The user will be prompted for the PIN.
56
57     -L -k rp_id device
58             Produces a list of resident credentials corresponding to relying
59             party rp_id on device.  The user will be prompted for the PIN.
60
61     -R      Performs a reset on device.  fido2-token will NOT prompt for con‐
62             firmation.
63
64     -S      Sets the PIN of device.  The user will be prompted for the PIN.
65
66     -S -e device
67             Performs a new biometric enrollment on device.  The user will be
68             prompted for the PIN.
69
70     -S -e -i template_id -n template_name device
71             Sets the friendly name of the biometric enrollment specified by
72             template_id to template_name on device, where template_id is
73             base64-encoded and template_name is a UTF-8 string.  The user
74             will be prompted for the PIN.
75
76     -V      Prints version information.
77
78     -d      Causes fido2-token to emit debugging output on stderr.
79
80     If a tty is available, fido2-token will use it to prompt for PINs.  Oth‐
81     erwise, stdin is used.
82
83     fido2-token exits 0 on success and 1 on error.
84

SEE ALSO

86     fido2-assert(1), fido2-cred(1)
87

CAVEATS

89     The actual user-flow to perform a reset is outside the scope of the FIDO2
90     specification, and may therefore vary depending on the authenticator.
91     Yubico authenticators do not allow resets after 5 seconds from power-up,
92     and expect a reset to be confirmed by the user through touch within 30
93     seconds.
94
95     An authenticator's path may contain spaces.
96
97BSD                           September 13, 2019                           BSD