1FIDO2-TOKEN(1)            BSD General Commands Manual           FIDO2-TOKEN(1)
2

NAME

4     fido2-token — find and manage a FIDO2 authenticator
5

SYNOPSIS

7     fido2-token -C [-d] device
8     fido2-token -D [-d] -i cred_id device
9     fido2-token -D -b [-d] -k key_path device
10     fido2-token -D -b [-d] -n rp_id [-i cred_id] device
11     fido2-token -D -e [-d] -i template_id device
12     fido2-token -D -u [-d] device
13     fido2-token -G -b [-d] -k key_path blob_path device
14     fido2-token -G -b [-d] -n rp_id [-i cred_id] blob_path device
15     fido2-token -I [-cd] [-k rp_id -i cred_id] device
16     fido2-token -L [-bder] [-k rp_id] [device]
17     fido2-token -R [-d] device
18     fido2-token -S [-adefu] device
19     fido2-token -S [-d] -i template_id -n template_name device
20     fido2-token -S [-d] -l pin_length device
21     fido2-token -S -b [-d] -k key_path blob_path device
22     fido2-token -S -b [-d] -n rp_id [-i cred_id] blob_path device
23     fido2-token -S -c [-d] -i cred_id -k user_id -n name -p display_name
24                 device
25     fido2-token -S -m rp_id device
26     fido2-token -V
27

DESCRIPTION

29     fido2-token manages a FIDO2 authenticator.
30
31     The options are as follows:
32
33     -C device
34             Changes the PIN of device.  The user will be prompted for the
35             current and new PINs.
36
37     -D -i id device
38             Deletes the resident credential specified by id from device,
39             where id is the credential's base64-encoded id.  The user will be
40             prompted for the PIN.
41
42     -D -b -k key_path device
43             Deletes a “largeBlob” encrypted with key_path from device, where
44             key_path must hold the blob's base64-encoded encryption key.  A
45             PIN or equivalent user-verification gesture is required.
46
47     -D -b -n rp_id [-i cred_id] device
48             Deletes a “largeBlob” corresponding to rp_id from device.  If
49             rp_id has multiple credentials enrolled on device, the credential
50             ID must be specified using -i cred_id, where cred_id is a
51             base64-encoded blob.  A PIN or equivalent user-verification ges‐
52             ture is required.
53
54     -D -e -i id device
55             Deletes the biometric enrollment specified by id from device,
56             where id is the enrollment's template base64-encoded id.  The
57             user will be prompted for the PIN.
58
59     -D -u device
60             Disables the CTAP 2.1 “user verification always” feature on
61             device.
62
63     -G -b -k key_path blob_path device
64             Gets a CTAP 2.1 “largeBlob” encrypted with key_path from device,
65             where key_path must hold the blob's base64-encoded encryption
66             key.  The blob is written to blob_path.  A PIN or equivalent
67             user-verification gesture is required.
68
69     -G -b -n rp_id [-i cred_id] blob_path device
70             Gets a CTAP 2.1 “largeBlob” associated with rp_id from device.
71             If rp_id has multiple credentials enrolled on device, the creden‐
72             tial ID must be specified using -i cred_id, where cred_id is a
73             base64-encoded blob.  The blob is written to blob_path.  A PIN or
74             equivalent user-verification gesture is required.
75
76     -I device
77             Retrieves information on device.
78
79     -I -c device
80             Retrieves resident credential metadata from device.  The user
81             will be prompted for the PIN.
82
83     -I -k rp_id -i cred_id device
84             Prints the credential id (base64-encoded) and public key (PEM en‐
85             coded) of the resident credential specified by rp_id and cred_id,
86             where rp_id is a UTF-8 relying party id, and cred_id is a
87             base64-encoded credential id.  The user will be prompted for the
88             PIN.
89
90     -L      Produces a list of authenticators found by the operating system.
91
92     -L -b device
93             Produces a list of CTAP 2.1 “largeBlobs” on device.  A PIN or
94             equivalent user-verification gesture is required.
95
96     -L -e device
97             Produces a list of biometric enrollments on device.  The user
98             will be prompted for the PIN.
99
100     -L -r device
101             Produces a list of relying parties with resident credentials on
102             device.  The user will be prompted for the PIN.
103
104     -L -k rp_id device
105             Produces a list of resident credentials corresponding to relying
106             party rp_id on device.  The user will be prompted for the PIN.
107
108     -R      Performs a reset on device.  fido2-token will NOT prompt for con‐
109             firmation.
110
111     -S      Sets the PIN of device.  The user will be prompted for the PIN.
112
113     -S -a device
114             Enables CTAP 2.1 Enterprise Attestation on device.
115
116     -S -b -k key_path blob_path device
117             Sets blob_path as a CTAP 2.1 “largeBlob” encrypted with key_path
118             on device, where blob_path holds the blob's plaintext, and
119             key_path the blob's base64-encoded encryption.  A PIN or equiva‐
120             lent user-verification gesture is required.
121
122     -S -b -n rp_id [-i cred_id] blob_path device
123             Sets blob_path as a CTAP 2.1 “largeBlob” associated with rp_id on
124             device.  If rp_id has multiple credentials enrolled on device,
125             the credential ID must be specified using -i cred_id, where
126             cred_id is a base64-encoded blob.  A PIN or equivalent user-veri‐
127             fication gesture is required.
128
129     -S -c -i cred_id -k user_id -n name -p display_name device
130             Sets the name and display_name attributes of the resident creden‐
131             tial identified by cred_id and user_id, where name and
132             display_name are UTF-8 strings and cred_id and user_id are
133             base64-encoded blobs.  A PIN or equivalent user-verification ges‐
134             ture is required.
135
136     -S -e device
137             Performs a new biometric enrollment on device.  The user will be
138             prompted for the PIN.
139
140     -S -e -i template_id -n template_name device
141             Sets the friendly name of the biometric enrollment specified by
142             template_id to template_name on device, where template_id is
143             base64-encoded and template_name is a UTF-8 string.  The user
144             will be prompted for the PIN.
145
146     -S -f device
147             Forces a PIN change on device.  The user will be prompted for the
148             PIN.
149
150     -S -l pin_length device
151             Sets the minimum PIN length of device to pin_length.  The user
152             will be prompted for the PIN.
153
154     -S -m rp_id device
155             Sets the list of relying party IDs that are allowed to retrieve
156             the minimum PIN length of device.  Multiple IDs may be specified,
157             separated by commas.  The user will be prompted for the PIN.
158
159     -S -u device
160             Enables the CTAP 2.1 “user verification always” feature on
161             device.
162
163     -V      Prints version information.
164
165     -d      Causes fido2-token to emit debugging output on stderr.
166
167     If a tty is available, fido2-token will use it to prompt for PINs.  Oth‐
168     erwise, stdin is used.
169
170     fido2-token exits 0 on success and 1 on error.
171

SEE ALSO

173     fido2-assert(1), fido2-cred(1)
174

CAVEATS

176     The actual user-flow to perform a reset is outside the scope of the FIDO2
177     specification, and may therefore vary depending on the authenticator.
178     Yubico authenticators do not allow resets after 5 seconds from power-up,
179     and expect a reset to be confirmed by the user through touch within 30
180     seconds.
181
182     An authenticator's path may contain spaces.
183
184     Resident credentials are called “discoverable credentials” in CTAP 2.1.
185
186     Whether the CTAP 2.1 “user verification always” feature is activated or
187     deactivated after an authenticator reset is vendor-specific.
188
189BSD                           September 13, 2019                           BSD
Impressum