1FIDO2-TOKEN(1)            BSD General Commands Manual           FIDO2-TOKEN(1)
2

NAME

4     fido2-token — find and manage a FIDO 2 authenticator
5

SYNOPSIS

7     fido2-token -C [-d] device
8     fido2-token -D [-d] -i cred_id device
9     fido2-token -D -b [-d] -k key_path device
10     fido2-token -D -b [-d] -n rp_id [-i cred_id] device
11     fido2-token -D -e [-d] -i template_id device
12     fido2-token -D -u [-d] device
13     fido2-token -G -b [-d] -k key_path blob_path device
14     fido2-token -G -b [-d] -n rp_id [-i cred_id] blob_path device
15     fido2-token -I [-cd] [-k rp_id -i cred_id] device
16     fido2-token -L [-bder] [-k rp_id] [device]
17     fido2-token -R [-d] device
18     fido2-token -S [-adefu] device
19     fido2-token -S [-d] -i template_id -n template_name
20     fido2-token -S [-d] -l pin_length device
21     fido2-token -S -b [-d] -k key_path blob_path device
22     fido2-token -S -b [-d] -n rp_id [-i cred_id] blob_path device
23     fido2-token -S -c [-d] -i cred_id -k user_id -n name -p display_name
24                 device
25     fido2-token -V
26

DESCRIPTION

28     fido2-token manages a FIDO 2 authenticator.
29
30     The options are as follows:
31
32     -C device
33             Changes the PIN of device.  The user will be prompted for the
34             current and new PINs.
35
36     -D -i id device
37             Deletes the resident credential specified by id from device,
38             where id is the credential's base64-encoded id.  The user will be
39             prompted for the PIN.
40
41     -D -b -k key_path device
42             Deletes a “largeBlob” encrypted with key_path from device, where
43             key_path must hold the blob's base64-encoded encryption key.  A
44             PIN or equivalent user-verification gesture is required.
45
46     -D -b -n rp_id [-i cred_id] device
47             Deletes a “largeBlob” corresponding to rp_id from device.  If
48             rp_id has multiple credentials enrolled on device, the credential
49             ID must be specified using -i cred_id, where cred_id is a
50             base64-encoded blob.  A PIN or equivalent user-verification ges‐
51             ture is required.
52
53     -D -e -i id device
54             Deletes the biometric enrollment specified by id from device,
55             where id is the enrollment's template base64-encoded id.  The
56             user will be prompted for the PIN.
57
58     -D -u device
59             Disables the FIDO 2.1 “user verification always” feature on
60             device.
61
62     -G -b -k key_path blob_path device
63             Gets a FIDO 2.1 “largeBlob” encrypted with key_path from device,
64             where key_path must hold the blob's base64-encoded encryption
65             key.  The blob is written to blob_path.  A PIN or equivalent
66             user-verification gesture is required.
67
68     -G -b -n rp_id [-i cred_id] blob_path device
69             Gets a FIDO 2.1 “largeBlob” associated with rp_id from device.
70             If rp_id has multiple credentials enrolled on device, the creden‐
71             tial ID must be specified using -i cred_id, where cred_id is a
72             base64-encoded blob.  The blob is written to blob_path.  A PIN or
73             equivalent user-verification gesture is required.
74
75     -I device
76             Retrieves information on device.
77
78     -I -c device
79             Retrieves resident credential metadata from device.  The user
80             will be prompted for the PIN.
81
82     -I -k rp_id -i cred_id device
83             Prints the credential id (base64-encoded) and public key (PEM en‐
84             coded) of the resident credential specified by rp_id and cred_id,
85             where rp_id is a UTF-8 relying party id, and cred_id is a
86             base64-encoded credential id.  The user will be prompted for the
87             PIN.
88
89     -L      Produces a list of authenticators found by the operating system.
90
91     -L -b device
92             Produces a list of FIDO 2.1 “largeBlobs” on device.  A PIN or
93             equivalent user-verification gesture is required.
94
95     -L -e device
96             Produces a list of biometric enrollments on device.  The user
97             will be prompted for the PIN.
98
99     -L -r device
100             Produces a list of relying parties with resident credentials on
101             device.  The user will be prompted for the PIN.
102
103     -L -k rp_id device
104             Produces a list of resident credentials corresponding to relying
105             party rp_id on device.  The user will be prompted for the PIN.
106
107     -R      Performs a reset on device.  fido2-token will NOT prompt for con‐
108             firmation.
109
110     -S      Sets the PIN of device.  The user will be prompted for the PIN.
111
112     -S -a device
113             Enables FIDO 2.1 Enterprise Attestation on device.
114
115     -S -b -k key_path blob_path device
116             Sets blob_path as a FIDO 2.1 “largeBlob” encrypted with key_path
117             on device, where blob_path holds the blob's plaintext, and
118             key_path the blob's base64-encoded encryption.  A PIN or equiva‐
119             lent user-verification gesture is required.
120
121     -S -b -n rp_id [-i cred_id] blob_path device
122             Sets blob_path as a FIDO 2.1 “largeBlob” associated with rp_id on
123             device.  If rp_id has multiple credentials enrolled on device,
124             the credential ID must be specified using -i cred_id, where
125             cred_id is a base64-encoded blob.  A PIN or equivalent user-veri‐
126             fication gesture is required.
127
128     -S -c -i cred_id -k user_id -n name -p display_name device
129             Sets the name and display_name attributes of the resident creden‐
130             tial identified by cred_id and user_id, where name and
131             display_name are UTF-8 strings and cred_id and user_id are
132             base64-encoded blobs.  A PIN or equivalent user-verification ges‐
133             ture is required.
134
135     -S -e device
136             Performs a new biometric enrollment on device.  The user will be
137             prompted for the PIN.
138
139     -S -e -i template_id -n template_name device
140             Sets the friendly name of the biometric enrollment specified by
141             template_id to template_name on device, where template_id is
142             base64-encoded and template_name is a UTF-8 string.  The user
143             will be prompted for the PIN.
144
145     -S -f device
146             Forces a PIN change on device.  The user will be prompted for the
147             PIN.
148
149     -S -l pin_length device
150             Sets the minimum PIN length of device to pin_length.  The user
151             will be prompted for the PIN.
152
153     -S -u device
154             Enables the FIDO 2.1 “user verification always” feature on
155             device.
156
157     -V      Prints version information.
158
159     -d      Causes fido2-token to emit debugging output on stderr.
160
161     If a tty is available, fido2-token will use it to prompt for PINs.  Oth‐
162     erwise, stdin is used.
163
164     fido2-token exits 0 on success and 1 on error.
165

SEE ALSO

167     fido2-assert(1), fido2-cred(1)
168

CAVEATS

170     The actual user-flow to perform a reset is outside the scope of the FIDO2
171     specification, and may therefore vary depending on the authenticator.
172     Yubico authenticators do not allow resets after 5 seconds from power-up,
173     and expect a reset to be confirmed by the user through touch within 30
174     seconds.
175
176     An authenticator's path may contain spaces.
177
178     Resident credentials are called “discoverable credentials” in FIDO 2.1.
179
180     Whether the FIDO 2.1 “user verification always” feature is activated or
181     deactivated after an authenticator reset is vendor-specific.
182
183BSD                           September 13, 2019                           BSD
Impressum