1FIDO2-TOKEN(1) BSD General Commands Manual FIDO2-TOKEN(1)
2
4 fido2-token — find and manage a FIDO2 authenticator
5
7 fido2-token -C [-d] device
8 fido2-token -D [-d] -i cred_id device
9 fido2-token -D -b [-d] -k key_path device
10 fido2-token -D -b [-d] -n rp_id [-i cred_id] device
11 fido2-token -D -e [-d] -i template_id device
12 fido2-token -D -u [-d] device
13 fido2-token -G -b [-d] -k key_path blob_path device
14 fido2-token -G -b [-d] -n rp_id [-i cred_id] blob_path device
15 fido2-token -I [-cd] [-k rp_id -i cred_id] device
16 fido2-token -L [-bder] [-k rp_id] [device]
17 fido2-token -R [-d] device
18 fido2-token -S [-adefu] device
19 fido2-token -S [-d] -i template_id -n template_name device
20 fido2-token -S [-d] -l pin_length device
21 fido2-token -S -b [-d] -k key_path blob_path device
22 fido2-token -S -b [-d] -n rp_id [-i cred_id] blob_path device
23 fido2-token -S -c [-d] -i cred_id -k user_id -n name -p display_name
24 device
25 fido2-token -S -m rp_id device
26 fido2-token -V
27
29 fido2-token manages a FIDO2 authenticator.
30 The options are as follows:
32 -C device
34 Changes the PIN of device. The user will be prompted for the
35 current and new PINs.
36 -D -i id device
38 Deletes the resident credential specified by id from device,
39 where id is the credential's base64-encoded id. The user will be
40 prompted for the PIN.
41 -D -b -k key_path device
43 Deletes a “largeBlob” encrypted with key_path from device, where
44 key_path holds the blob's base64-encoded 32-byte AES-256 GCM en‐
45 cryption key. A PIN or equivalent user-verification gesture is
46 required.
47 -D -b -n rp_id [-i cred_id] device
49 Deletes a “largeBlob” corresponding to rp_id from device. If
50 rp_id has multiple credentials enrolled on device, the credential
51 ID must be specified using -i cred_id, where cred_id is a
52 base64-encoded blob. A PIN or equivalent user-verification ges‐
53 ture is required.
54 -D -e -i id device
56 Deletes the biometric enrollment specified by id from device,
57 where id is the enrollment's template base64-encoded id. The
58 user will be prompted for the PIN.
59 -D -u device
61 Disables the CTAP 2.1 “user verification always” feature on
62 device.
63 -G -b -k key_path blob_path device
65 Gets a CTAP 2.1 “largeBlob” encrypted with key_path from device,
66 where key_path holds the blob's base64-encoded 32-byte AES-256
67 GCM encryption key. The blob is written to blob_path. A PIN or
68 equivalent user-verification gesture is required.
69 -G -b -n rp_id [-i cred_id] blob_path device
71 Gets a CTAP 2.1 “largeBlob” associated with rp_id from device.
72 If rp_id has multiple credentials enrolled on device, the creden‐
73 tial ID must be specified using -i cred_id, where cred_id is a
74 base64-encoded blob. The blob is written to blob_path. A PIN or
75 equivalent user-verification gesture is required.
76 -I device
78 Retrieves information on device.
79 -I -c device
81 Retrieves resident credential metadata from device. The user
82 will be prompted for the PIN.
83 -I -k rp_id -i cred_id device
85 Prints the credential id (base64-encoded) and public key (PEM en‐
86 coded) of the resident credential specified by rp_id and cred_id,
87 where rp_id is a UTF-8 relying party id, and cred_id is a
88 base64-encoded credential id. The user will be prompted for the
89 PIN.
90 -L Produces a list of authenticators found by the operating system.
92 -L -b device
94 Produces a list of CTAP 2.1 “largeBlobs” on device. A PIN or
95 equivalent user-verification gesture is required.
96 -L -e device
98 Produces a list of biometric enrollments on device. The user
99 will be prompted for the PIN.
100 -L -r device
102 Produces a list of relying parties with resident credentials on
103 device. The user will be prompted for the PIN.
104 -L -k rp_id device
106 Produces a list of resident credentials corresponding to relying
107 party rp_id on device. The user will be prompted for the PIN.
108 -R Performs a reset on device. fido2-token will NOT prompt for con‐
110 firmation.
111 -S Sets the PIN of device. The user will be prompted for the PIN.
113 -S -a device
115 Enables CTAP 2.1 Enterprise Attestation on device.
116 -S -b -k key_path blob_path device
118 Sets a CTAP 2.1 “largeBlob” encrypted with key_path on device,
119 where key_path holds the blob's base64-encoded 32-byte AES-256
120 GCM encryption key. The blob is read from blob_path. A PIN or
121 equivalent user-verification gesture is required.
122 -S -b -n rp_id [-i cred_id] blob_path device
124 Sets a CTAP 2.1 “largeBlob” associated with rp_id on device. The
125 blob is read from blob_path. If rp_id has multiple credentials
126 enrolled on device, the credential ID must be specified using -i
127 cred_id, where cred_id is a base64-encoded blob. A PIN or equiv‐
128 alent user-verification gesture is required.
129 -S -c -i cred_id -k user_id -n name -p display_name device
131 Sets the name and display_name attributes of the resident creden‐
132 tial identified by cred_id and user_id, where name and
133 display_name are UTF-8 strings and cred_id and user_id are
134 base64-encoded blobs. A PIN or equivalent user-verification ges‐
135 ture is required.
136 -S -e device
138 Performs a new biometric enrollment on device. The user will be
139 prompted for the PIN.
140 -S -e -i template_id -n template_name device
142 Sets the friendly name of the biometric enrollment specified by
143 template_id to template_name on device, where template_id is
144 base64-encoded and template_name is a UTF-8 string. The user
145 will be prompted for the PIN.
146 -S -f device
148 Forces a PIN change on device. The user will be prompted for the
149 PIN.
150 -S -l pin_length device
152 Sets the minimum PIN length of device to pin_length. The user
153 will be prompted for the PIN.
154 -S -m rp_id device
156 Sets the list of relying party IDs that are allowed to retrieve
157 the minimum PIN length of device. Multiple IDs may be specified,
158 separated by commas. The user will be prompted for the PIN.
159 -S -u device
161 Enables the CTAP 2.1 “user verification always” feature on
162 device.
163 -V Prints version information.
165 -d Causes fido2-token to emit debugging output on stderr.
167 If a tty is available, fido2-token will use it to prompt for PINs. Oth‐
169 erwise, stdin is used.
170 fido2-token exits 0 on success and 1 on error.
172
174 fido2-assert(1), fido2-cred(1)
175
177 The actual user-flow to perform a reset is outside the scope of the FIDO2
178 specification, and may therefore vary depending on the authenticator.
179 Yubico authenticators do not allow resets after 5 seconds from power-up,
180 and expect a reset to be confirmed by the user through touch within 30
181 seconds.
182 An authenticator's path may contain spaces.
184 Resident credentials are called “discoverable credentials” in CTAP 2.1.
186 Whether the CTAP 2.1 “user verification always” feature is activated or
188 deactivated after an authenticator reset is vendor-specific.
189BSD April 11, 2022 BSD