1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. 2.\" Use of this source code is governed by a BSD-style 3.\" license that can be found in the LICENSE file. 4.\" 5.Dd $Mdocdate: September 13 2019 $ 6.Dt FIDO2-TOKEN 1 7.Os 8.Sh NAME 9.Nm fido2-token 10.Nd find and manage a FIDO2 authenticator 11.Sh SYNOPSIS 12.Nm 13.Fl C 14.Op Fl d 15.Ar device 16.Nm 17.Fl D 18.Op Fl d 19.Fl i 20.Ar cred_id 21.Ar device 22.Nm 23.Fl D 24.Fl b 25.Op Fl d 26.Fl k Ar key_path 27.Ar device 28.Nm 29.Fl D 30.Fl b 31.Op Fl d 32.Fl n Ar rp_id 33.Op Fl i Ar cred_id 34.Ar device 35.Nm 36.Fl D 37.Fl e 38.Op Fl d 39.Fl i 40.Ar template_id 41.Ar device 42.Nm 43.Fl D 44.Fl u 45.Op Fl d 46.Ar device 47.Nm 48.Fl G 49.Fl b 50.Op Fl d 51.Fl k Ar key_path 52.Ar blob_path 53.Ar device 54.Nm 55.Fl G 56.Fl b 57.Op Fl d 58.Fl n Ar rp_id 59.Op Fl i Ar cred_id 60.Ar blob_path 61.Ar device 62.Nm 63.Fl I 64.Op Fl cd 65.Op Fl k Ar rp_id Fl i Ar cred_id 66.Ar device 67.Nm 68.Fl L 69.Op Fl bder 70.Op Fl k Ar rp_id 71.Op device 72.Nm 73.Fl R 74.Op Fl d 75.Ar device 76.Nm 77.Fl S 78.Op Fl adefu 79.Ar device 80.Nm 81.Fl S 82.Op Fl d 83.Fl i Ar template_id 84.Fl n Ar template_name 85.Ar device 86.Nm 87.Fl S 88.Op Fl d 89.Fl l Ar pin_length 90.Ar device 91.Nm 92.Fl S 93.Fl b 94.Op Fl d 95.Fl k Ar key_path 96.Ar blob_path 97.Ar device 98.Nm 99.Fl S 100.Fl b 101.Op Fl d 102.Fl n Ar rp_id 103.Op Fl i Ar cred_id 104.Ar blob_path 105.Ar device 106.Nm 107.Fl S 108.Fl c 109.Op Fl d 110.Fl i Ar cred_id 111.Fl k Ar user_id 112.Fl n Ar name 113.Fl p Ar display_name 114.Ar device 115.Nm 116.Fl S 117.Fl m 118.Ar rp_id 119.Ar device 120.Nm 121.Fl V 122.Sh DESCRIPTION 123.Nm 124manages a FIDO2 authenticator. 125.Pp 126The options are as follows: 127.Bl -tag -width Ds 128.It Fl C Ar device 129Changes the PIN of 130.Ar device . 131The user will be prompted for the current and new PINs. 132.It Fl D Fl i Ar id Ar device 133Deletes the resident credential specified by 134.Ar id 135from 136.Ar device , 137where 138.Ar id 139is the credential's base64-encoded id. 140The user will be prompted for the PIN. 141.It Fl D Fl b Fl k Ar key_path Ar device 142Deletes a 143.Dq largeBlob 144encrypted with 145.Ar key_path 146from 147.Ar device , 148where 149.Ar key_path 150must hold the blob's base64-encoded encryption key. 151A PIN or equivalent user-verification gesture is required. 152.It Fl D Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar device 153Deletes a 154.Dq largeBlob 155corresponding to 156.Ar rp_id 157from 158.Ar device . 159If 160.Ar rp_id 161has multiple credentials enrolled on 162.Ar device , 163the credential ID must be specified using 164.Fl i Ar cred_id , 165where 166.Ar cred_id 167is a base64-encoded blob. 168A PIN or equivalent user-verification gesture is required. 169.It Fl D Fl e Fl i Ar id Ar device 170Deletes the biometric enrollment specified by 171.Ar id 172from 173.Ar device , 174where 175.Ar id 176is the enrollment's template base64-encoded id. 177The user will be prompted for the PIN. 178.It Fl D Fl u Ar device 179Disables the CTAP 2.1 180.Dq user verification always 181feature on 182.Ar device . 183.It Fl G Fl b Fl k Ar key_path Ar blob_path Ar device 184Gets a CTAP 2.1 185.Dq largeBlob 186encrypted with 187.Ar key_path 188from 189.Ar device , 190where 191.Ar key_path 192must hold the blob's base64-encoded encryption key. 193The blob is written to 194.Ar blob_path . 195A PIN or equivalent user-verification gesture is required. 196.It Fl G Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device 197Gets a CTAP 2.1 198.Dq largeBlob 199associated with 200.Ar rp_id 201from 202.Ar device . 203If 204.Ar rp_id 205has multiple credentials enrolled on 206.Ar device , 207the credential ID must be specified using 208.Fl i Ar cred_id , 209where 210.Ar cred_id 211is a base64-encoded blob. 212The blob is written to 213.Ar blob_path . 214A PIN or equivalent user-verification gesture is required. 215.It Fl I Ar device 216Retrieves information on 217.Ar device . 218.It Fl I Fl c Ar device 219Retrieves resident credential metadata from 220.Ar device . 221The user will be prompted for the PIN. 222.It Fl I Fl k Ar rp_id Fl i Ar cred_id Ar device 223Prints the credential id (base64-encoded) and public key 224(PEM encoded) of the resident credential specified by 225.Ar rp_id 226and 227.Ar cred_id , 228where 229.Ar rp_id 230is a UTF-8 relying party id, and 231.Ar cred_id 232is a base64-encoded credential id. 233The user will be prompted for the PIN. 234.It Fl L 235Produces a list of authenticators found by the operating system. 236.It Fl L Fl b Ar device 237Produces a list of CTAP 2.1 238.Dq largeBlobs 239on 240.Ar device . 241A PIN or equivalent user-verification gesture is required. 242.It Fl L Fl e Ar device 243Produces a list of biometric enrollments on 244.Ar device . 245The user will be prompted for the PIN. 246.It Fl L Fl r Ar device 247Produces a list of relying parties with resident credentials on 248.Ar device . 249The user will be prompted for the PIN. 250.It Fl L Fl k Ar rp_id Ar device 251Produces a list of resident credentials corresponding to 252relying party 253.Ar rp_id 254on 255.Ar device . 256The user will be prompted for the PIN. 257.It Fl R 258Performs a reset on 259.Ar device . 260.Nm 261will NOT prompt for confirmation. 262.It Fl S 263Sets the PIN of 264.Ar device . 265The user will be prompted for the PIN. 266.It Fl S Fl a Ar device 267Enables CTAP 2.1 Enterprise Attestation on 268.Ar device . 269.It Fl S Fl b Fl k Ar key_path Ar blob_path Ar device 270Sets 271.Ar blob_path 272as a CTAP 2.1 273.Dq largeBlob 274encrypted with 275.Ar key_path 276on 277.Ar device , 278where 279.Ar blob_path 280holds the blob's plaintext, and 281.Ar key_path 282the blob's base64-encoded encryption. 283A PIN or equivalent user-verification gesture is required. 284.It Fl S Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device 285Sets 286.Ar blob_path 287as a CTAP 2.1 288.Dq largeBlob 289associated with 290.Ar rp_id 291on 292.Ar device . 293If 294.Ar rp_id 295has multiple credentials enrolled on 296.Ar device , 297the credential ID must be specified using 298.Fl i Ar cred_id , 299where 300.Ar cred_id 301is a base64-encoded blob. 302A PIN or equivalent user-verification gesture is required. 303.It Fl S Fl c Fl i Ar cred_id Fl k Ar user_id Fl n Ar name Fl p Ar display_name Ar device 304Sets the 305.Ar name 306and 307.Ar display_name 308attributes of the resident credential identified by 309.Ar cred_id 310and 311.Ar user_id , 312where 313.Ar name 314and 315.Ar display_name 316are UTF-8 strings and 317.Ar cred_id 318and 319.Ar user_id 320are base64-encoded blobs. 321A PIN or equivalent user-verification gesture is required. 322.It Fl S Fl e Ar device 323Performs a new biometric enrollment on 324.Ar device . 325The user will be prompted for the PIN. 326.It Fl S Fl e Fl i Ar template_id Fl n Ar template_name Ar device 327Sets the friendly name of the biometric enrollment specified by 328.Ar template_id 329to 330.Ar template_name 331on 332.Ar device , 333where 334.Ar template_id 335is base64-encoded and 336.Ar template_name 337is a UTF-8 string. 338The user will be prompted for the PIN. 339.It Fl S Fl f Ar device 340Forces a PIN change on 341.Ar device . 342The user will be prompted for the PIN. 343.It Fl S Fl l Ar pin_length Ar device 344Sets the minimum PIN length of 345.Ar device 346to 347.Ar pin_length . 348The user will be prompted for the PIN. 349.It Fl S Fl m Ar rp_id Ar device 350Sets the list of relying party IDs that are allowed to retrieve 351the minimum PIN length of 352.Ar device . 353Multiple IDs may be specified, separated by commas. 354The user will be prompted for the PIN. 355.It Fl S Fl u Ar device 356Enables the CTAP 2.1 357.Dq user verification always 358feature on 359.Ar device . 360.It Fl V 361Prints version information. 362.It Fl d 363Causes 364.Nm 365to emit debugging output on 366.Em stderr . 367.El 368.Pp 369If a 370.Em tty 371is available, 372.Nm 373will use it to prompt for PINs. 374Otherwise, 375.Em stdin 376is used. 377.Pp 378.Nm 379exits 0 on success and 1 on error. 380.Sh SEE ALSO 381.Xr fido2-assert 1 , 382.Xr fido2-cred 1 383.Sh CAVEATS 384The actual user-flow to perform a reset is outside the scope of the 385FIDO2 specification, and may therefore vary depending on the 386authenticator. 387Yubico authenticators do not allow resets after 5 seconds from 388power-up, and expect a reset to be confirmed by the user through 389touch within 30 seconds. 390.Pp 391An authenticator's path may contain spaces. 392.Pp 393Resident credentials are called 394.Dq discoverable credentials 395in CTAP 2.1. 396.Pp 397Whether the CTAP 2.1 398.Dq user verification always 399feature is activated or deactivated after an authenticator reset 400is vendor-specific. 401