1FIDO2-TOKEN(1)            BSD General Commands Manual           FIDO2-TOKEN(1)
2

NAME

4     fido2-token — find and manage a FIDO 2 authenticator
5

SYNOPSIS

7     fido2-token [-CR] [-d] device
8     fido2-token -D [-de] -i id device
9     fido2-token -I [-cd] [-k rp_id -i cred_id] device
10     fido2-token -L [-der] [-k rp_id] [device]
11     fido2-token -S [-de] [-i template_id -n template_name] device
12     fido2-token -V
13

DESCRIPTION

15     fido2-token manages a FIDO 2 authenticator.
16
17     The options are as follows:
18
19     -C device
20             Changes the PIN of device.  The user will be prompted for the
21             current and new PINs.
22
23     -D -i id device
24             Deletes the resident credential specified by id from device,
25             where id is the credential's base64-encoded id.  The user will be
26             prompted for the PIN.
27
28     -D -e -i id device
29             Deletes the biometric enrollment specified by id from device,
30             where id is the enrollment's template base64-encoded id.  The
31             user will be prompted for the PIN.
32
33     -I device
34             Retrieves information on device.
35
36     -I -c device
37             Retrieves resident credential metadata from device.  The user
38             will be prompted for the PIN.
39
40     -I -k rp_id -i cred_id device
41             Prints the credential id (base64-encoded) and public key (PEM en‐
42             coded) of the resident credential specified by rp_id and cred_id,
43             where rp_id is a UTF-8 relying party id, and cred_id is a
44             base64-encoded credential id.  The user will be prompted for the
45             PIN.
46
47     -L      Produces a list of authenticators found by the operating system.
48
49     -L -e device
50             Produces a list of biometric enrollments on device.  The user
51             will be prompted for the PIN.
52
53     -L -r device
54             Produces a list of relying parties with resident credentials on
55             device.  The user will be prompted for the PIN.
56
57     -L -k rp_id device
58             Produces a list of resident credentials corresponding to relying
59             party rp_id on device.  The user will be prompted for the PIN.
60
61     -R      Performs a reset on device.  fido2-token will NOT prompt for con‐
62             firmation.
63
64     -S      Sets the PIN of device.  The user will be prompted for the PIN.
65
66     -S -e device
67             Performs a new biometric enrollment on device.  The user will be
68             prompted for the PIN.
69
70     -S -e -i template_id -n template_name device
71             Sets the friendly name of the biometric enrollment specified by
72             template_id to template_name on device, where template_id is
73             base64-encoded and template_name is a UTF-8 string.  The user
74             will be prompted for the PIN.
75
76     -V      Prints version information.
77
78     -d      Causes fido2-token to emit debugging output on stderr.
79
80     If a tty is available, fido2-token will use it to prompt for PINs.  Oth‐
81     erwise, stdin is used.
82
83     fido2-token exits 0 on success and 1 on error.
84

SEE ALSO

86     fido2-assert(1), fido2-cred(1)
87

CAVEATS

89     The actual user-flow to perform a reset is outside the scope of the FIDO2
90     specification, and may therefore vary depending on the authenticator.
91     Yubico authenticators do not allow resets after 5 seconds from power-up,
92     and expect a reset to be confirmed by the user through touch within 30
93     seconds.
94
95     An authenticator's path may contain spaces.
96
97     Resident credentials are called “discoverable credentials” in FIDO2.1.
98
99BSD                           September 13, 2019                           BSD