fido2-token — find and manage a FIDO2 authenticator

       The  actual  user-flow  to  perform  a  reset  is  outside  the scope of the FIDO2 specification, and may
       therefore vary depending on the authenticator.  Yubico authenticators do not allow resets after 5 seconds
       from power-up, and expect a reset to be confirmed by the user through touch within 30 seconds.

       An authenticator's path may contain spaces.

       Resident credentials are called “discoverable credentials” in CTAP 2.1.

       Whether  the  CTAP  2.1  “user  verification  always”  feature  is  activated  or  deactivated  after  an
       authenticator reset is vendor-specific.

Debian                                           April 11, 2022                                   FIDO2-TOKEN(1)

fido2-token manages a FIDO2 authenticator.

       The options are as follows:

       -Cdevice
               Changes the PIN of device.  The user will be prompted for the current and new PINs.

       -D-iiddevice
               Deletes  the  resident  credential  specified  by  id  from  device, where id is the credential's
               base64-encoded id.  The user will be prompted for the PIN.

       -D-b-kkey_pathdevice
               Deletes a “largeBlob” encrypted with key_path  from  device,  where  key_path  holds  the  blob's
               base64-encoded 32-byte AES-256 GCM encryption key.  A PIN or equivalent user-verification gesture
               is required.

       -D-b-nrp_id [-icred_id] device
               Deletes  a  “largeBlob”  corresponding  to  rp_id from device.  If rp_id has multiple credentials
               enrolled on device, the credential ID must be specified using -icred_id,  where  cred_id  is  a
               base64-encoded blob.  A PIN or equivalent user-verification gesture is required.

       -D-e-iiddevice
               Deletes  the  biometric  enrollment  specified  by  id  from device, where id is the enrollment's
               template base64-encoded id.  The user will be prompted for the PIN.

       -D-udevice
               Disables the CTAP 2.1 “user verification always” feature on device.

       -G-b-kkey_pathblob_pathdevice
               Gets a CTAP 2.1 “largeBlob” encrypted with key_path from device, where key_path holds the  blob's
               base64-encoded  32-byte  AES-256 GCM encryption key.  The blob is written to blob_path.  A PIN or
               equivalent user-verification gesture is required.

       -G-b-nrp_id [-icred_id] blob_pathdevice
               Gets a CTAP 2.1 “largeBlob” associated with rp_id from device.  If rp_id has multiple credentials
               enrolled on device, the credential ID must be specified using -icred_id,  where  cred_id  is  a
               base64-encoded  blob.   The  blob is written to blob_path.  A PIN or equivalent user-verification
               gesture is required.

       -Idevice
               Retrieves information on device.

       -I-cdevice
               Retrieves resident credential metadata from device.  The user will be prompted for the PIN.

       -I-krp_id-icred_iddevice
               Prints the credential id (base64-encoded) and public key (PEM encoded) of the resident credential
               specified by rp_id and cred_id, where rp_id is a  UTF-8  relying  party  id,  and  cred_id  is  a
               base64-encoded credential id.  The user will be prompted for the PIN.

       -L      Produces a list of authenticators found by the operating system.

       -L-bdevice
               Produces  a  list  of  CTAP  2.1  “largeBlobs”  on device.  A PIN or equivalent user-verification
               gesture is required.

       -L-edevice
               Produces a list of biometric enrollments on device.  The user will be prompted for the PIN.

       -L-rdevice
               Produces a list of relying parties with  resident  credentials  on  device.   The  user  will  be
               prompted for the PIN.

       -L-krp_iddevice
               Produces a list of resident credentials corresponding to relying party rp_id on device.  The user
               will be prompted for the PIN.

       -R      Performs a reset on device.  fido2-token will NOT prompt for confirmation.

       -S      Sets the PIN of device.  The user will be prompted for the PIN.

       -S-adevice
               Enables CTAP 2.1 Enterprise Attestation on device.

       -S-b-kkey_pathblob_pathdevice
               Sets  a  CTAP  2.1 “largeBlob” encrypted with key_path on device, where key_path holds the blob's
               base64-encoded 32-byte AES-256 GCM encryption key.  The blob is read from blob_path.   A  PIN  or
               equivalent user-verification gesture is required.

       -S-b-nrp_id [-icred_id] blob_pathdevice
               Sets  a  CTAP  2.1 “largeBlob” associated with rp_id on device.  The blob is read from blob_path.
               If rp_id has multiple credentials enrolled on device, the credential ID must be  specified  using
               -icred_id,  where  cred_id  is  a  base64-encoded  blob.  A PIN or equivalent user-verification
               gesture is required.

       -S-c-icred_id-kuser_id-nname-pdisplay_namedevice
               Sets the name and display_name attributes of the resident credential identified  by  cred_id  and
               user_id, where name and display_name are UTF-8 strings and cred_id and user_id are base64-encoded
               blobs.  A PIN or equivalent user-verification gesture is required.

       -S-edevice
               Performs a new biometric enrollment on device.  The user will be prompted for the PIN.

       -S-e-itemplate_id-ntemplate_namedevice
               Sets  the  friendly name of the biometric enrollment specified by template_id to template_name on
               device, where template_id is base64-encoded and template_name is a UTF-8 string.  The  user  will
               be prompted for the PIN.

       -S-fdevice
               Forces a PIN change on device.  The user will be prompted for the PIN.

       -S-lpin_lengthdevice
               Sets the minimum PIN length of device to pin_length.  The user will be prompted for the PIN.

       -S-mrp_iddevice
               Sets the list of relying party IDs that are allowed to retrieve the minimum PIN length of device.
               Multiple IDs may be specified, separated by commas.  The user will be prompted for the PIN.

       -S-udevice
               Enables the CTAP 2.1 “user verification always” feature on device.

       -V      Prints version information.

       -d      Causes fido2-token to emit debugging output on stderr.

       If a tty is available, fido2-token will use it to prompt for PINs.  Otherwise, stdin is used.

       fido2-token exits 0 on success and 1 on error.

       fido2-token — find and manage a FIDO2 authenticator

fido2-assert(1), fido2-cred(1)

fido2-token-C [-d] devicefido2-token-D [-d] -icred_iddevicefido2-token-D-b [-d] -kkey_pathdevicefido2-token-D-b [-d] -nrp_id [-icred_id] devicefido2-token-D-e [-d] -itemplate_iddevicefido2-token-D-u [-d] devicefido2-token-G-b [-d] -kkey_pathblob_pathdevicefido2-token-G-b [-d] -nrp_id [-icred_id] blob_pathdevicefido2-token-I [-cd] [-krp_id-icred_id] devicefido2-token-L [-bder] [-krp_id] [device]
       fido2-token-R [-d] devicefido2-token-S [-adefu] devicefido2-token-S [-d] -itemplate_id-ntemplate_namedevicefido2-token-S [-d] -lpin_lengthdevicefido2-token-S-b [-d] -kkey_pathblob_pathdevicefido2-token-S-b [-d] -nrp_id [-icred_id] blob_pathdevicefido2-token-S-c [-d] -icred_id-kuser_id-nname-pdisplay_namedevicefido2-token-S-mrp_iddevicefido2-token-V