Provided by: fido2-tools_1.13.0-1_amd64 bug

NAME

     fido2-token — find and manage a FIDO2 authenticator

SYNOPSIS

     fido2-token -C [-d] device
     fido2-token -D [-d] -i cred_id device
     fido2-token -D -b [-d] -k key_path device
     fido2-token -D -b [-d] -n rp_id [-i cred_id] device
     fido2-token -D -e [-d] -i template_id device
     fido2-token -D -u [-d] device
     fido2-token -G -b [-d] -k key_path blob_path device
     fido2-token -G -b [-d] -n rp_id [-i cred_id] blob_path device
     fido2-token -I [-cd] [-k rp_id -i cred_id] device
     fido2-token -L [-bder] [-k rp_id] [device]
     fido2-token -R [-d] device
     fido2-token -S [-adefu] device
     fido2-token -S [-d] -i template_id -n template_name device
     fido2-token -S [-d] -l pin_length device
     fido2-token -S -b [-d] -k key_path blob_path device
     fido2-token -S -b [-d] -n rp_id [-i cred_id] blob_path device
     fido2-token -S -c [-d] -i cred_id -k user_id -n name -p display_name device
     fido2-token -S -m rp_id device
     fido2-token -V

DESCRIPTION

     fido2-token manages a FIDO2 authenticator.

     The options are as follows:

     -C device
             Changes the PIN of device.  The user will be prompted for the current and new PINs.

     -D -i id device
             Deletes the resident credential specified by id from device, where id is the
             credential's base64-encoded id.  The user will be prompted for the PIN.

     -D -b -k key_path device
             Deletes a “largeBlob” encrypted with key_path from device, where key_path holds the
             blob's base64-encoded 32-byte AES-256 GCM encryption key.  A PIN or equivalent user-
             verification gesture is required.

     -D -b -n rp_id [-i cred_id] device
             Deletes a “largeBlob” corresponding to rp_id from device.  If rp_id has multiple
             credentials enrolled on device, the credential ID must be specified using -i
             cred_id, where cred_id is a base64-encoded blob.  A PIN or equivalent user-
             verification gesture is required.

     -D -e -i id device
             Deletes the biometric enrollment specified by id from device, where id is the
             enrollment's template base64-encoded id.  The user will be prompted for the PIN.

     -D -u device
             Disables the CTAP 2.1 “user verification always” feature on device.

     -G -b -k key_path blob_path device
             Gets a CTAP 2.1 “largeBlob” encrypted with key_path from device, where key_path
             holds the blob's base64-encoded 32-byte AES-256 GCM encryption key.  The blob is
             written to blob_path.  A PIN or equivalent user-verification gesture is required.

     -G -b -n rp_id [-i cred_id] blob_path device
             Gets a CTAP 2.1 “largeBlob” associated with rp_id from device.  If rp_id has
             multiple credentials enrolled on device, the credential ID must be specified using
             -i cred_id, where cred_id is a base64-encoded blob.  The blob is written to
             blob_path.  A PIN or equivalent user-verification gesture is required.

     -I device
             Retrieves information on device.

     -I -c device
             Retrieves resident credential metadata from device.  The user will be prompted for
             the PIN.

     -I -k rp_id -i cred_id device
             Prints the credential id (base64-encoded) and public key (PEM encoded) of the
             resident credential specified by rp_id and cred_id, where rp_id is a UTF-8 relying
             party id, and cred_id is a base64-encoded credential id.  The user will be prompted
             for the PIN.

     -L      Produces a list of authenticators found by the operating system.

     -L -b device
             Produces a list of CTAP 2.1 “largeBlobs” on device.  A PIN or equivalent user-
             verification gesture is required.

     -L -e device
             Produces a list of biometric enrollments on device.  The user will be prompted for
             the PIN.

     -L -r device
             Produces a list of relying parties with resident credentials on device.  The user
             will be prompted for the PIN.

     -L -k rp_id device
             Produces a list of resident credentials corresponding to relying party rp_id on
             device.  The user will be prompted for the PIN.

     -R      Performs a reset on device.  fido2-token will NOT prompt for confirmation.

     -S      Sets the PIN of device.  The user will be prompted for the PIN.

     -S -a device
             Enables CTAP 2.1 Enterprise Attestation on device.

     -S -b -k key_path blob_path device
             Sets a CTAP 2.1 “largeBlob” encrypted with key_path on device, where key_path holds
             the blob's base64-encoded 32-byte AES-256 GCM encryption key.  The blob is read from
             blob_path.  A PIN or equivalent user-verification gesture is required.

     -S -b -n rp_id [-i cred_id] blob_path device
             Sets a CTAP 2.1 “largeBlob” associated with rp_id on device.  The blob is read from
             blob_path.  If rp_id has multiple credentials enrolled on device, the credential ID
             must be specified using -i cred_id, where cred_id is a base64-encoded blob.  A PIN
             or equivalent user-verification gesture is required.

     -S -c -i cred_id -k user_id -n name -p display_name device
             Sets the name and display_name attributes of the resident credential identified by
             cred_id and user_id, where name and display_name are UTF-8 strings and cred_id and
             user_id are base64-encoded blobs.  A PIN or equivalent user-verification gesture is
             required.

     -S -e device
             Performs a new biometric enrollment on device.  The user will be prompted for the
             PIN.

     -S -e -i template_id -n template_name device
             Sets the friendly name of the biometric enrollment specified by template_id to
             template_name on device, where template_id is base64-encoded and template_name is a
             UTF-8 string.  The user will be prompted for the PIN.

     -S -f device
             Forces a PIN change on device.  The user will be prompted for the PIN.

     -S -l pin_length device
             Sets the minimum PIN length of device to pin_length.  The user will be prompted for
             the PIN.

     -S -m rp_id device
             Sets the list of relying party IDs that are allowed to retrieve the minimum PIN
             length of device.  Multiple IDs may be specified, separated by commas.  The user
             will be prompted for the PIN.

     -S -u device
             Enables the CTAP 2.1 “user verification always” feature on device.

     -V      Prints version information.

     -d      Causes fido2-token to emit debugging output on stderr.

     If a tty is available, fido2-token will use it to prompt for PINs.  Otherwise, stdin is
     used.

     fido2-token exits 0 on success and 1 on error.

SEE ALSO

     fido2-assert(1), fido2-cred(1)

CAVEATS

     The actual user-flow to perform a reset is outside the scope of the FIDO2 specification, and
     may therefore vary depending on the authenticator.  Yubico authenticators do not allow
     resets after 5 seconds from power-up, and expect a reset to be confirmed by the user through
     touch within 30 seconds.

     An authenticator's path may contain spaces.

     Resident credentials are called “discoverable credentials” in CTAP 2.1.

     Whether the CTAP 2.1 “user verification always” feature is activated or deactivated after an
     authenticator reset is vendor-specific.