Provided by: fido2-tools_1.3.1-1ubuntu2_amd64 bug

NAME
       fido2-token — find and manage a FIDO 2 authenticator


SYNOPSIS
       fido2-token [-CR] [-d] device
       fido2-token -D [-de] -i id device
       fido2-token -I [-cd] [-k rp_id -i cred_id] device
       fido2-token -L [-der] [-k rp_id] [device]
       fido2-token -S [-de] [-i template_id -n template_name] device
       fido2-token -V


DESCRIPTION
       fido2-token manages a FIDO 2 authenticator.

       The options are as follows:

       -C device
               Changes the PIN of device.  The user will be prompted for the current and new PINs.

       -D -i id device
               Deletes  the  resident  credential  specified  by  id  from  device, where id is the credential's
               base64-encoded id.  The user will be prompted for the PIN.

       -D -e -i id device
               Deletes the biometric enrollment specified by id  from  device,  where  id  is  the  enrollment's
               template base64-encoded id.  The user will be prompted for the PIN.

       -I device
               Retrieves information on device.

       -I -c device
               Retrieves resident credential metadata from device.  The user will be prompted for the PIN.

       -I -k rp_id -i cred_id device
               Prints the credential id (base64-encoded) and public key (PEM encoded) of the resident credential
               specified  by  rp_id  and  cred_id,  where  rp_id  is  a UTF-8 relying party id, and cred_id is a
               base64-encoded credential id.  The user will be prompted for the PIN.

       -L      Produces a list of authenticators found by the operating system.

       -L -e device
               Produces a list of biometric enrollments on device.  The user will be prompted for the PIN.

       -L -r device
               Produces a list of relying parties with  resident  credentials  on  device.   The  user  will  be
               prompted for the PIN.

       -L -k rp_id device
               Produces a list of resident credentials corresponding to relying party rp_id on device.  The user
               will be prompted for the PIN.

       -R      Performs a reset on device.  fido2-token will NOT prompt for confirmation.

       -S      Sets the PIN of device.  The user will be prompted for the PIN.

       -S -e device
               Performs a new biometric enrollment on device.  The user will be prompted for the PIN.

       -S -e -i template_id -n template_name device
               Sets  the  friendly name of the biometric enrollment specified by template_id to template_name on
               device, where template_id is base64-encoded and template_name is a UTF-8 string.  The  user  will
               be prompted for the PIN.

       -V      Prints version information.

       -d      Causes fido2-token to emit debugging output on stderr.

       If a tty is available, fido2-token will use it to prompt for PINs.  Otherwise, stdin is used.

       fido2-token exits 0 on success and 1 on error.


SEE ALSO
       fido2-assert(1), fido2-cred(1)


CAVEATS
       The  actual  user-flow  to  perform  a  reset  is  outside  the scope of the FIDO2 specification, and may
       therefore vary depending on the authenticator.  Yubico authenticators do not allow resets after 5 seconds
       from power-up, and expect a reset to be confirmed by the user through touch within 30 seconds.

Debian                                         September 13, 2019                                 FIDO2-TOKEN(1)