1.\" Copyright (c) 2018 Yubico AB. All rights reserved. 2.\" Use of this source code is governed by a BSD-style 3.\" license that can be found in the LICENSE file. 4.\" 5.Dd $Mdocdate: September 13 2019 $ 6.Dt FIDO2-TOKEN 1 7.Os 8.Sh NAME 9.Nm fido2-token 10.Nd find and manage a FIDO 2 authenticator 11.Sh SYNOPSIS 12.Nm 13.Op Fl CR 14.Op Fl d 15.Ar device 16.Nm 17.Fl D 18.Op Fl de 19.Fl i 20.Ar id 21.Ar device 22.Nm 23.Fl I 24.Op Fl cd 25.Op Fl k Ar rp_id Fl i Ar cred_id 26.Ar device 27.Nm 28.Fl L 29.Op Fl der 30.Op Fl k Ar rp_id 31.Op device 32.Nm 33.Fl S 34.Op Fl de 35.Op Fl i Ar template_id Fl n Ar template_name 36.Ar device 37.Nm 38.Fl V 39.Sh DESCRIPTION 40.Nm 41manages a FIDO 2 authenticator. 42.Pp 43The options are as follows: 44.Bl -tag -width Ds 45.It Fl C Ar device 46Changes the PIN of 47.Ar device . 48The user will be prompted for the current and new PINs. 49.It Fl D Fl i Ar id Ar device 50Deletes the resident credential specified by 51.Ar id 52from 53.Ar device , 54where 55.Ar id 56is the credential's base64-encoded id. 57The user will be prompted for the PIN. 58.It Fl D Fl e Fl i Ar id Ar device 59Deletes the biometric enrollment specified by 60.Ar id 61from 62.Ar device , 63where 64.Ar id 65is the enrollment's template base64-encoded id. 66The user will be prompted for the PIN. 67.It Fl I Ar device 68Retrieves information on 69.Ar device . 70.It Fl I Fl c Ar device 71Retrieves resident credential metadata from 72.Ar device . 73The user will be prompted for the PIN. 74.It Fl I Fl k Ar rp_id Fl i Ar cred_id Ar device 75Prints the credential id (base64-encoded) and public key 76(PEM encoded) of the resident credential specified by 77.Ar rp_id 78and 79.Ar cred_id , 80where 81.Ar rp_id 82is a UTF-8 relying party id, and 83.Ar cred_id 84is a base64-encoded credential id. 85The user will be prompted for the PIN. 86.It Fl L 87Produces a list of authenticators found by the operating system. 88.It Fl L Fl e Ar device 89Produces a list of biometric enrollments on 90.Ar device . 91The user will be prompted for the PIN. 92.It Fl L Fl r Ar device 93Produces a list of relying parties with resident credentials on 94.Ar device . 95The user will be prompted for the PIN. 96.It Fl L Fl k Ar rp_id Ar device 97Produces a list of resident credentials corresponding to 98relying party 99.Ar rp_id 100on 101.Ar device . 102The user will be prompted for the PIN. 103.It Fl R 104Performs a reset on 105.Ar device . 106.Nm 107will NOT prompt for confirmation. 108.It Fl S 109Sets the PIN of 110.Ar device . 111The user will be prompted for the PIN. 112.It Fl S Fl e Ar device 113Performs a new biometric enrollment on 114.Ar device . 115The user will be prompted for the PIN. 116.It Fl S Fl e Fl i Ar template_id Fl n Ar template_name Ar device 117Sets the friendly name of the biometric enrollment specified by 118.Ar template_id 119to 120.Ar template_name 121on 122.Ar device , 123where 124.Ar template_id 125is base64-encoded and 126.Ar template_name 127is a UTF-8 string. 128The user will be prompted for the PIN. 129.It Fl V 130Prints version information. 131.It Fl d 132Causes 133.Nm 134to emit debugging output on 135.Em stderr . 136.El 137.Pp 138If a 139.Em tty 140is available, 141.Nm 142will use it to prompt for PINs. 143Otherwise, 144.Em stdin 145is used. 146.Pp 147.Nm 148exits 0 on success and 1 on error. 149.Sh SEE ALSO 150.Xr fido2-assert 1 , 151.Xr fido2-cred 1 152.Sh CAVEATS 153The actual user-flow to perform a reset is outside the scope of the 154FIDO2 specification, and may therefore vary depending on the 155authenticator. 156Yubico authenticators do not allow resets after 5 seconds from 157power-up, and expect a reset to be confirmed by the user through 158touch within 30 seconds. 159