FIDO2 Token Management Tool Manual

Overview

The FIDO2 Token Management Tool (fido2-manage.exe) is a command-line wrapper tool designed to interact with the libfido2 tool, providing a convenient way to perform various operations related to FIDO2 tokens.

Prerequisites

• Ensure that libfido2.exe is present in the same directory as the tool.
• PowerShell must be installed on your system.

Usage

Running the tool

Open command prompt as administrator and navigate to the directory containing the tool. Execute the tool by running the following command:

.\fido2-manage.exe [parameters]

Tool Parameters

The tool supports the following parameters:

• -list: List available devices. Please note that if you plug in only one FIDO2 device, the device number to be used is always 1
• -info -device [number]: Retrieve information about a specific device.
• -storage -device [number]: Retrieve storage for credentials on a specific device.
• -residentKeys -device [number] : Retrieve a list of the relying parties on the device.
• -residentKeys -device [number] -domain [domain]: Retrieve resident keys on a specific device for individual accounts or relying parties in the specified domain.
• -delete -device [number] -credential [credential]: Delete a credential on a specific device with the specified credential ID.
• -changePIN -device [number]: Change PIN of a specific device.
• -setPIN -device [number]: Set a PIN of a specific device (for new or freshly reset devices).

Examples

1. List available devices:

   .\fido2-manage.exe -list

2. Retrieve information about a specific device:

   .\fido2-manage.exe -info -device 1

3. Retrieve storage data for credentials (number of resident keys stored and available) on a specific device:

   .\fido2-manage.exe -storage -device 2

4. Retrieve all relying parties (domains) on a specific device:

   .\fido2-manage.exe -residentKeys -device 1  

5. Retrieve resident keys on a specific device for a domain:

   .\fido2-manage.exe -residentKeys -device 1 -domain login.microsoft.com

6. Delete a credential on a specific device:

   .\fido2-manage.exe -delete -device 2 -credential Y+Dh/tSy/Q2IdZt6PW/G1A==

7. Set a PIN on a specific device (for new devices or after a reset):

   .\fido2-manage.exe -device 1 -setPIN

   The tool will ask to enter the PIN twice (confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown

8. Change a PIN on a specific device:

   .\fido2-manage.exe -device 1 -changePIN

   The tool will ask to enter the current PIN and the PIN twice (with confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown

Warning

Deleting a credential is irreversible. The tool will ask for confirmation before proceeding with deletion.

Version History

• 0.1 (2023-12-01): Initial version.