fido2-token

FIDO2-TOKEN(1) General Commands Manual FIDO2-TOKEN(1)

fido2-token
find and manage a FIDO 2 authenticator

fido2-token [
-CR
] [
-d
] device

fido2-token -D [
-de
] -i id device

fido2-token -I [
-cd
] [
-k rp_id -i cred_id
] device

fido2-token -L [
-der
] [
-k rp_id
] [
device
]

fido2-token -S [
-de
] [
-i template_id -n template_name
] device

fido2-token -V

fido2-token manages a FIDO 2 authenticator.
The options are as follows:
device
Changes the PIN of device. The user will be prompted for the current and new PINs.
-i id device
Deletes the resident credential specified by id from device, where id is the credential's base64-encoded id. The user will be prompted for the PIN.
-e -i id device
Deletes the biometric enrollment specified by id from device, where id is the enrollment's template base64-encoded id. The user will be prompted for the PIN.
device
Retrieves information on device.
-c device
Retrieves resident credential metadata from device. The user will be prompted for the PIN.
-k rp_id -i cred_id device
Prints the credential id (base64-encoded) and public key (PEM encoded) of the resident credential specified by rp_id and cred_id, where rp_id is a UTF-8 relying party id, and cred_id is a base64-encoded credential id. The user will be prompted for the PIN.
Produces a list of authenticators found by the operating system.
-e device
Produces a list of biometric enrollments on device. The user will be prompted for the PIN.
-r device
Produces a list of relying parties with resident credentials on device. The user will be prompted for the PIN.
-k rp_id device
Produces a list of resident credentials corresponding to relying party rp_id on device. The user will be prompted for the PIN.
Performs a reset on device. fido2-token will NOT prompt for confirmation.
Sets the PIN of device. The user will be prompted for the PIN.
-e device
Performs a new biometric enrollment on device. The user will be prompted for the PIN.
-e -i template_id -n template_name device
Sets the friendly name of the biometric enrollment specified by template_id to template_name on device, where template_id is base64-encoded and template_name is a UTF-8 string. The user will be prompted for the PIN.
Prints version information.
Causes fido2-token to emit debugging output on stderr.
If a tty is available, fido2-token will use it to prompt for PINs. Otherwise, stdin is used.
fido2-token exits 0 on success and 1 on error.

fido2-assert(1), fido2-cred(1)

The actual user-flow to perform a reset is outside the scope of the FIDO2 specification, and may therefore vary depending on the authenticator. Yubico authenticators do not allow resets after 5 seconds from power-up, and expect a reset to be confirmed by the user through touch within 30 seconds.
September 13, 2019 Linux 5.3.12-arch1-1