1.\" Copyright (c) 2018-2021 Yubico AB. All rights reserved. 2.\" Use of this source code is governed by a BSD-style 3.\" license that can be found in the LICENSE file. 4.\" 5.Dd $Mdocdate: September 13 2019 $ 6.Dt FIDO2-TOKEN 1 7.Os 8.Sh NAME 9.Nm fido2-token 10.Nd find and manage a FIDO 2 authenticator 11.Sh SYNOPSIS 12.Nm 13.Fl C 14.Op Fl d 15.Ar device 16.Nm 17.Fl D 18.Op Fl d 19.Fl i 20.Ar cred_id 21.Ar device 22.Nm 23.Fl D 24.Fl b 25.Op Fl d 26.Fl k Ar key_path 27.Ar device 28.Nm 29.Fl D 30.Fl b 31.Op Fl d 32.Fl n Ar rp_id 33.Op Fl i Ar cred_id 34.Ar device 35.Nm 36.Fl D 37.Fl e 38.Op Fl d 39.Fl i 40.Ar template_id 41.Ar device 42.Nm 43.Fl D 44.Fl u 45.Op Fl d 46.Ar device 47.Nm 48.Fl G 49.Fl b 50.Op Fl d 51.Fl k Ar key_path 52.Ar blob_path 53.Ar device 54.Nm 55.Fl G 56.Fl b 57.Op Fl d 58.Fl n Ar rp_id 59.Op Fl i Ar cred_id 60.Ar blob_path 61.Ar device 62.Nm 63.Fl I 64.Op Fl cd 65.Op Fl k Ar rp_id Fl i Ar cred_id 66.Ar device 67.Nm 68.Fl L 69.Op Fl bder 70.Op Fl k Ar rp_id 71.Op device 72.Nm 73.Fl R 74.Op Fl d 75.Ar device 76.Nm 77.Fl S 78.Op Fl adefu 79.Ar device 80.Nm 81.Fl S 82.Op Fl d 83.Fl i Ar template_id 84.Fl n Ar template_name 85.Nm 86.Fl S 87.Op Fl d 88.Fl l Ar pin_length 89.Ar device 90.Nm 91.Fl S 92.Fl b 93.Op Fl d 94.Fl k Ar key_path 95.Ar blob_path 96.Ar device 97.Nm 98.Fl S 99.Fl b 100.Op Fl d 101.Fl n Ar rp_id 102.Op Fl i Ar cred_id 103.Ar blob_path 104.Ar device 105.Nm 106.Fl S 107.Fl c 108.Op Fl d 109.Fl i Ar cred_id 110.Fl k Ar user_id 111.Fl n Ar name 112.Fl p Ar display_name 113.Ar device 114.Nm 115.Fl V 116.Sh DESCRIPTION 117.Nm 118manages a FIDO 2 authenticator. 119.Pp 120The options are as follows: 121.Bl -tag -width Ds 122.It Fl C Ar device 123Changes the PIN of 124.Ar device . 125The user will be prompted for the current and new PINs. 126.It Fl D Fl i Ar id Ar device 127Deletes the resident credential specified by 128.Ar id 129from 130.Ar device , 131where 132.Ar id 133is the credential's base64-encoded id. 134The user will be prompted for the PIN. 135.It Fl D Fl b Fl k Ar key_path Ar device 136Deletes a 137.Dq largeBlob 138encrypted with 139.Ar key_path 140from 141.Ar device , 142where 143.Ar key_path 144must hold the blob's base64-encoded encryption key. 145A PIN or equivalent user-verification gesture is required. 146.It Fl D Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar device 147Deletes a 148.Dq largeBlob 149corresponding to 150.Ar rp_id 151from 152.Ar device . 153If 154.Ar rp_id 155has multiple credentials enrolled on 156.Ar device , 157the credential ID must be specified using 158.Fl i Ar cred_id , 159where 160.Ar cred_id 161is a base64-encoded blob. 162A PIN or equivalent user-verification gesture is required. 163.It Fl D Fl e Fl i Ar id Ar device 164Deletes the biometric enrollment specified by 165.Ar id 166from 167.Ar device , 168where 169.Ar id 170is the enrollment's template base64-encoded id. 171The user will be prompted for the PIN. 172.It Fl D Fl u Ar device 173Disables the FIDO 2.1 174.Dq user verification always 175feature on 176.Ar device . 177.It Fl G Fl b Fl k Ar key_path Ar blob_path Ar device 178Gets a FIDO 2.1 179.Dq largeBlob 180encrypted with 181.Ar key_path 182from 183.Ar device , 184where 185.Ar key_path 186must hold the blob's base64-encoded encryption key. 187The blob is written to 188.Ar blob_path . 189A PIN or equivalent user-verification gesture is required. 190.It Fl G Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device 191Gets a FIDO 2.1 192.Dq largeBlob 193associated with 194.Ar rp_id 195from 196.Ar device . 197If 198.Ar rp_id 199has multiple credentials enrolled on 200.Ar device , 201the credential ID must be specified using 202.Fl i Ar cred_id , 203where 204.Ar cred_id 205is a base64-encoded blob. 206The blob is written to 207.Ar blob_path . 208A PIN or equivalent user-verification gesture is required. 209.It Fl I Ar device 210Retrieves information on 211.Ar device . 212.It Fl I Fl c Ar device 213Retrieves resident credential metadata from 214.Ar device . 215The user will be prompted for the PIN. 216.It Fl I Fl k Ar rp_id Fl i Ar cred_id Ar device 217Prints the credential id (base64-encoded) and public key 218(PEM encoded) of the resident credential specified by 219.Ar rp_id 220and 221.Ar cred_id , 222where 223.Ar rp_id 224is a UTF-8 relying party id, and 225.Ar cred_id 226is a base64-encoded credential id. 227The user will be prompted for the PIN. 228.It Fl L 229Produces a list of authenticators found by the operating system. 230.It Fl L Fl b Ar device 231Produces a list of FIDO 2.1 232.Dq largeBlobs 233on 234.Ar device . 235A PIN or equivalent user-verification gesture is required. 236.It Fl L Fl e Ar device 237Produces a list of biometric enrollments on 238.Ar device . 239The user will be prompted for the PIN. 240.It Fl L Fl r Ar device 241Produces a list of relying parties with resident credentials on 242.Ar device . 243The user will be prompted for the PIN. 244.It Fl L Fl k Ar rp_id Ar device 245Produces a list of resident credentials corresponding to 246relying party 247.Ar rp_id 248on 249.Ar device . 250The user will be prompted for the PIN. 251.It Fl R 252Performs a reset on 253.Ar device . 254.Nm 255will NOT prompt for confirmation. 256.It Fl S 257Sets the PIN of 258.Ar device . 259The user will be prompted for the PIN. 260.It Fl S Fl a Ar device 261Enables FIDO 2.1 Enterprise Attestation on 262.Ar device . 263.It Fl S Fl b Fl k Ar key_path Ar blob_path Ar device 264Sets 265.Ar blob_path 266as a FIDO 2.1 267.Dq largeBlob 268encrypted with 269.Ar key_path 270on 271.Ar device , 272where 273.Ar blob_path 274holds the blob's plaintext, and 275.Ar key_path 276the blob's base64-encoded encryption. 277A PIN or equivalent user-verification gesture is required. 278.It Fl S Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device 279Sets 280.Ar blob_path 281as a FIDO 2.1 282.Dq largeBlob 283associated with 284.Ar rp_id 285on 286.Ar device . 287If 288.Ar rp_id 289has multiple credentials enrolled on 290.Ar device , 291the credential ID must be specified using 292.Fl i Ar cred_id , 293where 294.Ar cred_id 295is a base64-encoded blob. 296A PIN or equivalent user-verification gesture is required. 297.It Fl S Fl c Fl i Ar cred_id Fl k Ar user_id Fl n Ar name Fl p Ar display_name Ar device 298Sets the 299.Ar name 300and 301.Ar display_name 302attributes of the resident credential identified by 303.Ar cred_id 304and 305.Ar user_id , 306where 307.Ar name 308and 309.Ar display_name 310are UTF-8 strings and 311.Ar cred_id 312and 313.Ar user_id 314are base64-encoded blobs. 315A PIN or equivalent user-verification gesture is required. 316.It Fl S Fl e Ar device 317Performs a new biometric enrollment on 318.Ar device . 319The user will be prompted for the PIN. 320.It Fl S Fl e Fl i Ar template_id Fl n Ar template_name Ar device 321Sets the friendly name of the biometric enrollment specified by 322.Ar template_id 323to 324.Ar template_name 325on 326.Ar device , 327where 328.Ar template_id 329is base64-encoded and 330.Ar template_name 331is a UTF-8 string. 332The user will be prompted for the PIN. 333.It Fl S Fl f Ar device 334Forces a PIN change on 335.Ar device . 336The user will be prompted for the PIN. 337.It Fl S Fl l Ar pin_length Ar device 338Sets the minimum PIN length of 339.Ar device 340to 341.Ar pin_length . 342The user will be prompted for the PIN. 343.It Fl S Fl u Ar device 344Enables the FIDO 2.1 345.Dq user verification always 346feature on 347.Ar device . 348.It Fl V 349Prints version information. 350.It Fl d 351Causes 352.Nm 353to emit debugging output on 354.Em stderr . 355.El 356.Pp 357If a 358.Em tty 359is available, 360.Nm 361will use it to prompt for PINs. 362Otherwise, 363.Em stdin 364is used. 365.Pp 366.Nm 367exits 0 on success and 1 on error. 368.Sh SEE ALSO 369.Xr fido2-assert 1 , 370.Xr fido2-cred 1 371.Sh CAVEATS 372The actual user-flow to perform a reset is outside the scope of the 373FIDO2 specification, and may therefore vary depending on the 374authenticator. 375Yubico authenticators do not allow resets after 5 seconds from 376power-up, and expect a reset to be confirmed by the user through 377touch within 30 seconds. 378.Pp 379An authenticator's path may contain spaces. 380.Pp 381Resident credentials are called 382.Dq discoverable credentials 383in FIDO 2.1. 384.Pp 385Whether the FIDO 2.1 386.Dq user verification always 387feature is activated or deactivated after an authenticator reset 388is vendor-specific. 389