Updated: 2020/Jul/29


FIDO2-TOKEN(1)              General Commands Manual             FIDO2-TOKEN(1)

NAME
     fido2-token - find and manage a FIDO 2 authenticator

SYNOPSIS
     fido2-token [-CR] [-d] device
     fido2-token -D [-de] -i id device
     fido2-token -I [-cd] [-k rp_id -i cred_id] device
     fido2-token -L [-der] [-k rp_id] [device]
     fido2-token -S [-de] [-i template_id -n template_name] device
     fido2-token -V

DESCRIPTION
     fido2-token manages a FIDO 2 authenticator.

     The options are as follows:

     -C device
             Changes the PIN of device.  The user will be prompted for the
             current and new PINs.

     -D -i id device
             Deletes the resident credential specified by id from device,
             where id is the credential's base64-encoded id.  The user will be
             prompted for the PIN.

     -D -e -i id device
             Deletes the biometric enrollment specified by id from device,
             where id is the enrollment's template base64-encoded id.  The
             user will be prompted for the PIN.

     -I device
             Retrieves information on device.

     -I -c device
             Retrieves resident credential metadata from device.  The user
             will be prompted for the PIN.

     -I -k rp_id -i cred_id device
             Prints the credential id (base64-encoded) and public key (PEM
             encoded) of the resident credential specified by rp_id and
             cred_id, where rp_id is a UTF-8 relying party id, and cred_id is
             a base64-encoded credential id.  The user will be prompted for
             the PIN.

     -L      Produces a list of authenticators found by the operating system.

     -L -e device
             Produces a list of biometric enrollments on device.  The user
             will be prompted for the PIN.

     -L -r device
             Produces a list of relying parties with resident credentials on
             device.  The user will be prompted for the PIN.

     -L -k rp_id device
             Produces a list of resident credentials corresponding to relying
             party rp_id on device.  The user will be prompted for the PIN.

     -R      Performs a reset on device.  fido2-token will NOT prompt for
             confirmation.

     -S      Sets the PIN of device.  The user will be prompted for the PIN.

     -S -e device
             Performs a new biometric enrollment on device.  The user will be
             prompted for the PIN.

     -S -e -i template_id -n template_name device
             Sets the friendly name of the biometric enrollment specified by
             template_id to template_name on device, where template_id is
             base64-encoded and template_name is a UTF-8 string.  The user
             will be prompted for the PIN.

     -V      Prints version information.

     -d      Causes fido2-token to emit debugging output on stderr.

     If a tty is available, fido2-token will use it to prompt for PINs.
     Otherwise, stdin is used.

     fido2-token exits 0 on success and 1 on error.

SEE ALSO
     fido2-assert(1), fido2-cred(1)

CAVEATS
     The actual user-flow to perform a reset is outside the scope of the FIDO2
     specification, and may therefore vary depending on the authenticator.
     Yubico authenticators do not allow resets after 5 seconds from power-up,
     and expect a reset to be confirmed by the user through touch within 30
     seconds.

NetBSD 9.99             $Mdocdate: September 13 2019 $             NetBSD 9.99