Provided by: fido2-tools_1.3.1-1ubuntu2_amd64 bug

NAME
     fido2-token — find and manage a FIDO 2 authenticator


SYNOPSIS
     fido2-token [-CR] [-d] device
     fido2-token -D [-de] -i id device
     fido2-token -I [-cd] [-k rp_id -i cred_id] device
     fido2-token -L [-der] [-k rp_id] [device]
     fido2-token -S [-de] [-i template_id -n template_name] device
     fido2-token -V


DESCRIPTION
     fido2-token manages a FIDO 2 authenticator.

     The options are as follows:

     -C device
             Changes the PIN of device.  The user will be prompted for the current and new PINs.

     -D -i id device
             Deletes the resident credential specified by id from device, where id is the credential's
             base64-encoded id.  The user will be prompted for the PIN.

     -D -e -i id device
             Deletes the biometric enrollment specified by id from device, where id is the enrollment's template
             base64-encoded id.  The user will be prompted for the PIN.

     -I device
             Retrieves information on device.

     -I -c device
             Retrieves resident credential metadata from device.  The user will be prompted for the PIN.

     -I -k rp_id -i cred_id device
             Prints the credential id (base64-encoded) and public key (PEM encoded) of the resident credential
             specified by rp_id and cred_id, where rp_id is a UTF-8 relying party id, and cred_id is a
             base64-encoded credential id.  The user will be prompted for the PIN.

     -L      Produces a list of authenticators found by the operating system.

     -L -e device
             Produces a list of biometric enrollments on device.  The user will be prompted for the PIN.

     -L -r device
             Produces a list of relying parties with resident credentials on device.  The user will be prompted
             for the PIN.

     -L -k rp_id device
             Produces a list of resident credentials corresponding to relying party rp_id on device.  The user
             will be prompted for the PIN.

     -R      Performs a reset on device.  fido2-token will NOT prompt for confirmation.

     -S      Sets the PIN of device.  The user will be prompted for the PIN.

     -S -e device
             Performs a new biometric enrollment on device.  The user will be prompted for the PIN.

     -S -e -i template_id -n template_name device
             Sets the friendly name of the biometric enrollment specified by template_id to template_name on
             device, where template_id is base64-encoded and template_name is a UTF-8 string.  The user will be
             prompted for the PIN.

     -V      Prints version information.

     -d      Causes fido2-token to emit debugging output on stderr.

     If a tty is available, fido2-token will use it to prompt for PINs.  Otherwise, stdin is used.

     fido2-token exits 0 on success and 1 on error.


SEE ALSO
     fido2-assert(1), fido2-cred(1)


CAVEATS
     The actual user-flow to perform a reset is outside the scope of the FIDO2 specification, and may therefore
     vary depending on the authenticator.  Yubico authenticators do not allow resets after 5 seconds from power-
     up, and expect a reset to be confirmed by the user through touch within 30 seconds.