fido2-token —
find and manage a FIDO2 authenticator
  
    | fido2-token | -C[-d]
      device | 
  
    | fido2-token | -D[-d]-icred_id
      device | 
  
    | fido2-token | -D-b[-d]-kkey_path device | 
  
    | fido2-token | -D-b[-d]-nrp_id [-icred_id] device | 
  
    | fido2-token | -D-e[-d]-itemplate_id device | 
  
    | fido2-token | -D-u[-d] device | 
  
    | fido2-token | -G-b[-d]-kkey_path blob_path
      device | 
  
    | fido2-token | -G-b[-d]-nrp_id [-icred_id] blob_path
      device | 
  
    | fido2-token | -I[-cd]
      [-krp_id-icred_id]
      device | 
  
    | fido2-token | -L[-bder]
      [-krp_id] [device] | 
  
    | fido2-token | -R[-d]
      device | 
  
    | fido2-token | -S[-adefu]
      device | 
  
    | fido2-token | -S[-d]-itemplate_id-ntemplate_name
      device | 
  
    | fido2-token | -S[-d]-lpin_length
      device | 
  
    | fido2-token | -S-b[-d]-kkey_path blob_path
      device | 
  
    | fido2-token | -S-b[-d]-nrp_id [-icred_id] blob_path
      device | 
  
    | fido2-token | -S-c[-d]-icred_id-kuser_id-nname-pdisplay_name device | 
  
    | fido2-token | -S-mrp_id device | 
fido2-token manages a FIDO2 authenticator.
The options are as follows:
  - -Cdevice
- Changes the PIN of device. The user will be prompted
      for the current and new PINs.
- -D- -iid
    device
- Deletes the resident credential specified by id from
      device, where id is the
      credential's base64-encoded id. The user will be prompted for the
    PIN.
- -D- -b- -kkey_path device
- Deletes a “largeBlob” encrypted with
      key_path from device, where
      key_path holds the blob's base64-encoded 32-byte
      AES-256 GCM encryption key. A PIN or equivalent user-verification gesture
      is required.
- -D- -b- -nrp_id [- -icred_id] device
- Deletes a “largeBlob” corresponding to
      rp_id from device. If
      rp_id has multiple credentials enrolled on
      device, the credential ID must be specified using
      -icred_id, where
      cred_id is a base64-encoded blob. A PIN or
      equivalent user-verification gesture is required.
- -D- -e- -iid device
- Deletes the biometric enrollment specified by id
      from device, where id is the
      enrollment's template base64-encoded id. The user will be prompted for the
      PIN.
- -D- -udevice
- Disables the CTAP 2.1 “user verification always” feature on
      device.
- -G- -b- -kkey_path blob_path
    device
- Gets a CTAP 2.1 “largeBlob” encrypted with
      key_path from device, where
      key_path holds the blob's base64-encoded 32-byte
      AES-256 GCM encryption key. The blob is written to
      blob_path. A PIN or equivalent user-verification
      gesture is required.
- -G- -b- -nrp_id [- -icred_id] blob_path
    device
- Gets a CTAP 2.1 “largeBlob” associated with
      rp_id from device. If
      rp_id has multiple credentials enrolled on
      device, the credential ID must be specified using
      -icred_id, where
      cred_id is a base64-encoded blob. The blob is
      written to blob_path. A PIN or equivalent
      user-verification gesture is required.
- -Idevice
- Retrieves information on device.
- -I- -cdevice
- Retrieves resident credential metadata from device.
      The user will be prompted for the PIN.
- -I- -krp_id- -icred_id
    device
- Prints the credential id (base64-encoded) and public key (PEM encoded) of
      the resident credential specified by rp_id and
      cred_id, where rp_id is a
      UTF-8 relying party id, and cred_id is a
      base64-encoded credential id. The user will be prompted for the PIN.
- -L
- Produces a list of authenticators found by the operating system.
- -L- -bdevice
- Produces a list of CTAP 2.1 “largeBlobs” on
      device. A PIN or equivalent user-verification
      gesture is required.
- -L- -edevice
- Produces a list of biometric enrollments on device.
      The user will be prompted for the PIN.
- -L- -rdevice
- Produces a list of relying parties with resident credentials on
      device. The user will be prompted for the PIN.
- -L- -krp_id
    device
- Produces a list of resident credentials corresponding to relying party
      rp_id on device. The user will
      be prompted for the PIN.
- -R
- Performs a reset on device.
      fido2-tokenwill NOT prompt for confirmation.
- -S
- Sets the PIN of device. The user will be prompted
      for the PIN.
- -S- -adevice
- Enables CTAP 2.1 Enterprise Attestation on
    device.
- -S- -b- -kkey_path blob_path
    device
- Sets a CTAP 2.1 “largeBlob” encrypted with
      key_path on device, where
      key_path holds the blob's base64-encoded 32-byte
      AES-256 GCM encryption key. The blob is read from
      blob_path. A PIN or equivalent user-verification
      gesture is required.
- -S- -b- -nrp_id [- -icred_id] blob_path
    device
- Sets a CTAP 2.1 “largeBlob” associated with
      rp_id on device. The blob is
      read from blob_path. If rp_id
      has multiple credentials enrolled on device, the
      credential ID must be specified using -icred_id, where cred_id is a
      base64-encoded blob. A PIN or equivalent user-verification gesture is
      required.
- -S- -c- -icred_id- -kuser_id- -nname- -pdisplay_name device
- Sets the name and display_name
      attributes of the resident credential identified by
      cred_id and user_id, where
      name and display_name are
      UTF-8 strings and cred_id and
      user_id are base64-encoded blobs. A PIN or
      equivalent user-verification gesture is required.
- -S- -edevice
- Performs a new biometric enrollment on device. The
      user will be prompted for the PIN.
- -S- -e- -itemplate_id- -ntemplate_name device
- Sets the friendly name of the biometric enrollment specified by
      template_id to template_name
      on device, where template_id
      is base64-encoded and template_name is a UTF-8
      string. The user will be prompted for the PIN.
- -S- -fdevice
- Forces a PIN change on device. The user will be
      prompted for the PIN.
- -S- -lpin_length
    device
- Sets the minimum PIN length of device to
      pin_length. The user will be prompted for the
    PIN.
- -S- -mrp_id
    device
- Sets the list of relying party IDs that are allowed to retrieve the
      minimum PIN length of device. Multiple IDs may be
      specified, separated by commas. The user will be prompted for the
    PIN.
- -S- -udevice
- Enables the CTAP 2.1 “user verification always” feature on
      device.
- -V
- Prints version information.
- -d
- Causes fido2-tokento emit debugging output on
      stderr.
If a tty is available,
    fido2-token will use it to prompt for PINs.
    Otherwise, stdin is used.
fido2-token exits 0 on success and 1 on
    error.
The actual user-flow to perform a reset is outside the scope of the FIDO2
  specification, and may therefore vary depending on the authenticator. Yubico
  authenticators do not allow resets after 5 seconds from power-up, and expect a
  reset to be confirmed by the user through touch within 30 seconds.
An authenticator's path may contain spaces.
Resident credentials are called “discoverable
    credentials” in CTAP 2.1.
Whether the CTAP 2.1 “user verification always”
    feature is activated or deactivated after an authenticator reset is
    vendor-specific.