1FIDO2-TOKEN(1)            BSD General Commands Manual           FIDO2-TOKEN(1)
2

NAME

4     fido2-token — find and manage a FIDO2 authenticator
5

SYNOPSIS

7     fido2-token -C [-d] device
8     fido2-token -D [-d] -i cred_id device
9     fido2-token -D -b [-d] -k key_path device
10     fido2-token -D -b [-d] -n rp_id [-i cred_id] device
11     fido2-token -D -e [-d] -i template_id device
12     fido2-token -D -u [-d] device
13     fido2-token -G -b [-d] -k key_path blob_path device
14     fido2-token -G -b [-d] -n rp_id [-i cred_id] blob_path device
15     fido2-token -I [-cd] [-k rp_id -i cred_id] device
16     fido2-token -L [-bder] [-k rp_id] [device]
17     fido2-token -R [-d] device
18     fido2-token -S [-adefu] device
19     fido2-token -S [-d] -i template_id -n template_name device
20     fido2-token -S [-d] -l pin_length device
21     fido2-token -S -b [-d] -k key_path blob_path device
22     fido2-token -S -b [-d] -n rp_id [-i cred_id] blob_path device
23     fido2-token -S -c [-d] -i cred_id -k user_id -n name -p display_name
24                 device
25     fido2-token -S -m rp_id device
26     fido2-token -V
27

DESCRIPTION

29     fido2-token manages a FIDO2 authenticator.
30
31     The options are as follows:
32
33     -C device
34             Changes the PIN of device.  The user will be prompted for the
35             current and new PINs.
36
37     -D -i id device
38             Deletes the resident credential specified by id from device,
39             where id is the credential's base64-encoded id.  The user will be
40             prompted for the PIN.
41
42     -D -b -k key_path device
43             Deletes a “largeBlob” encrypted with key_path from device, where
44             key_path holds the blob's base64-encoded 32-byte AES-256 GCM en‐
45             cryption key.  A PIN or equivalent user-verification gesture is
46             required.
47
48     -D -b -n rp_id [-i cred_id] device
49             Deletes a “largeBlob” corresponding to rp_id from device.  If
50             rp_id has multiple credentials enrolled on device, the credential
51             ID must be specified using -i cred_id, where cred_id is a
52             base64-encoded blob.  A PIN or equivalent user-verification ges‐
53             ture is required.
54
55     -D -e -i id device
56             Deletes the biometric enrollment specified by id from device,
57             where id is the enrollment's template base64-encoded id.  The
58             user will be prompted for the PIN.
59
60     -D -u device
61             Disables the CTAP 2.1 “user verification always” feature on
62             device.
63
64     -G -b -k key_path blob_path device
65             Gets a CTAP 2.1 “largeBlob” encrypted with key_path from device,
66             where key_path holds the blob's base64-encoded 32-byte AES-256
67             GCM encryption key.  The blob is written to blob_path.  A PIN or
68             equivalent user-verification gesture is required.
69
70     -G -b -n rp_id [-i cred_id] blob_path device
71             Gets a CTAP 2.1 “largeBlob” associated with rp_id from device.
72             If rp_id has multiple credentials enrolled on device, the creden‐
73             tial ID must be specified using -i cred_id, where cred_id is a
74             base64-encoded blob.  The blob is written to blob_path.  A PIN or
75             equivalent user-verification gesture is required.
76
77     -I device
78             Retrieves information on device.
79
80     -I -c device
81             Retrieves resident credential metadata from device.  The user
82             will be prompted for the PIN.
83
84     -I -k rp_id -i cred_id device
85             Prints the credential id (base64-encoded) and public key (PEM en‐
86             coded) of the resident credential specified by rp_id and cred_id,
87             where rp_id is a UTF-8 relying party id, and cred_id is a
88             base64-encoded credential id.  The user will be prompted for the
89             PIN.
90
91     -L      Produces a list of authenticators found by the operating system.
92
93     -L -b device
94             Produces a list of CTAP 2.1 “largeBlobs” on device.  A PIN or
95             equivalent user-verification gesture is required.
96
97     -L -e device
98             Produces a list of biometric enrollments on device.  The user
99             will be prompted for the PIN.
100
101     -L -r device
102             Produces a list of relying parties with resident credentials on
103             device.  The user will be prompted for the PIN.
104
105     -L -k rp_id device
106             Produces a list of resident credentials corresponding to relying
107             party rp_id on device.  The user will be prompted for the PIN.
108
109     -R      Performs a reset on device.  fido2-token will NOT prompt for con‐
110             firmation.
111
112     -S      Sets the PIN of device.  The user will be prompted for the PIN.
113
114     -S -a device
115             Enables CTAP 2.1 Enterprise Attestation on device.
116
117     -S -b -k key_path blob_path device
118             Sets a CTAP 2.1 “largeBlob” encrypted with key_path on device,
119             where key_path holds the blob's base64-encoded 32-byte AES-256
120             GCM encryption key.  The blob is read from blob_path.  A PIN or
121             equivalent user-verification gesture is required.
122
123     -S -b -n rp_id [-i cred_id] blob_path device
124             Sets a CTAP 2.1 “largeBlob” associated with rp_id on device.  The
125             blob is read from blob_path.  If rp_id has multiple credentials
126             enrolled on device, the credential ID must be specified using -i
127             cred_id, where cred_id is a base64-encoded blob.  A PIN or equiv‐
128             alent user-verification gesture is required.
129
130     -S -c -i cred_id -k user_id -n name -p display_name device
131             Sets the name and display_name attributes of the resident creden‐
132             tial identified by cred_id and user_id, where name and
133             display_name are UTF-8 strings and cred_id and user_id are
134             base64-encoded blobs.  A PIN or equivalent user-verification ges‐
135             ture is required.
136
137     -S -e device
138             Performs a new biometric enrollment on device.  The user will be
139             prompted for the PIN.
140
141     -S -e -i template_id -n template_name device
142             Sets the friendly name of the biometric enrollment specified by
143             template_id to template_name on device, where template_id is
144             base64-encoded and template_name is a UTF-8 string.  The user
145             will be prompted for the PIN.
146
147     -S -f device
148             Forces a PIN change on device.  The user will be prompted for the
149             PIN.
150
151     -S -l pin_length device
152             Sets the minimum PIN length of device to pin_length.  The user
153             will be prompted for the PIN.
154
155     -S -m rp_id device
156             Sets the list of relying party IDs that are allowed to retrieve
157             the minimum PIN length of device.  Multiple IDs may be specified,
158             separated by commas.  The user will be prompted for the PIN.
159
160     -S -u device
161             Enables the CTAP 2.1 “user verification always” feature on
162             device.
163
164     -V      Prints version information.
165
166     -d      Causes fido2-token to emit debugging output on stderr.
167
168     If a tty is available, fido2-token will use it to prompt for PINs.  Oth‐
169     erwise, stdin is used.
170
171     fido2-token exits 0 on success and 1 on error.
172

SEE ALSO

174     fido2-assert(1), fido2-cred(1)
175

CAVEATS

177     The actual user-flow to perform a reset is outside the scope of the FIDO2
178     specification, and may therefore vary depending on the authenticator.
179     Yubico authenticators do not allow resets after 5 seconds from power-up,
180     and expect a reset to be confirmed by the user through touch within 30
181     seconds.
182
183     An authenticator's path may contain spaces.
184
185     Resident credentials are called “discoverable credentials” in CTAP 2.1.
186
187     Whether the CTAP 2.1 “user verification always” feature is activated or
188     deactivated after an authenticator reset is vendor-specific.
189
190BSD                             April 11, 2022                             BSD
Impressum