Provided by: fido2-tools_1.3.1-1ubuntu2_amd64 bug

NAME
     fido2-token — find and manage a FIDO 2 authenticator


SYNOPSIS
     fido2-token [-CR] [-d] device
     fido2-token -D [-de] -i id device
     fido2-token -I [-cd] [-k rp_id -i cred_id] device
     fido2-token -L [-der] [-k rp_id] [device]
     fido2-token -S [-de] [-i template_id -n template_name] device
     fido2-token -V


DESCRIPTION
     fido2-token manages a FIDO 2 authenticator.

     The options are as follows:

     -C device
             Changes the PIN of device.  The user will be prompted for the current and new PINs.

     -D -i id device
             Deletes the resident credential specified by id from device, where id is the
             credential's base64-encoded id.  The user will be prompted for the PIN.

     -D -e -i id device
             Deletes the biometric enrollment specified by id from device, where id is the
             enrollment's template base64-encoded id.  The user will be prompted for the PIN.

     -I device
             Retrieves information on device.

     -I -c device
             Retrieves resident credential metadata from device.  The user will be prompted for
             the PIN.

     -I -k rp_id -i cred_id device
             Prints the credential id (base64-encoded) and public key (PEM encoded) of the
             resident credential specified by rp_id and cred_id, where rp_id is a UTF-8 relying
             party id, and cred_id is a base64-encoded credential id.  The user will be prompted
             for the PIN.

     -L      Produces a list of authenticators found by the operating system.

     -L -e device
             Produces a list of biometric enrollments on device.  The user will be prompted for
             the PIN.

     -L -r device
             Produces a list of relying parties with resident credentials on device.  The user
             will be prompted for the PIN.

     -L -k rp_id device
             Produces a list of resident credentials corresponding to relying party rp_id on
             device.  The user will be prompted for the PIN.

     -R      Performs a reset on device.  fido2-token will NOT prompt for confirmation.

     -S      Sets the PIN of device.  The user will be prompted for the PIN.

     -S -e device
             Performs a new biometric enrollment on device.  The user will be prompted for the
             PIN.

     -S -e -i template_id -n template_name device
             Sets the friendly name of the biometric enrollment specified by template_id to
             template_name on device, where template_id is base64-encoded and template_name is a
             UTF-8 string.  The user will be prompted for the PIN.

     -V      Prints version information.

     -d      Causes fido2-token to emit debugging output on stderr.

     If a tty is available, fido2-token will use it to prompt for PINs.  Otherwise, stdin is
     used.

     fido2-token exits 0 on success and 1 on error.


SEE ALSO
     fido2-assert(1), fido2-cred(1)


CAVEATS
     The actual user-flow to perform a reset is outside the scope of the FIDO2 specification, and
     may therefore vary depending on the authenticator.  Yubico authenticators do not allow
     resets after 5 seconds from power-up, and expect a reset to be confirmed by the user through
     touch within 30 seconds.