FIDO2 Token Management Tool Manual

Overview

The FIDO2 Token Management Tool (fido2-manage.exe) is a command-line wrapper tool designed to interact with the libfido2 tool, providing a convenient way to perform various operations related to FIDO2 tokens.
Starting from v0.2 this tool supports managing FIDO2.1 devices over NFC transport. Only one NFC reader with a FIDO2.1 device should be present in the system (the tool will only attempt to enumerate/read the first one, appearing as pcsc://slot0). Please note that NFC stability depends on the precise positioning of the NFC card antenna overlapping with the reader's reading area. NFC functionality was tested only using NFC Reader devices provided by Token2.

Prerequisites

• Ensure that libfido2.exe is present in the same directory as the tool.
• PowerShell must be installed on your system.

Usage

Running the tool

Open command prompt as administrator and navigate to the directory containing the tool. Execute the tool by running the following command:

.\fido2-manage.exe [parameters]

Tool Parameters

The tool supports the following parameters:

• -list: List available devices. Please note that if you plug in only one FIDO2 device, the device number to be used is always 1
• -info -device [number]: Retrieve information about a specific device.
• -storage -device [number]: Retrieve storage for credentials on a specific device.
• -residentKeys -device [number] : Retrieve a list of the relying parties on the device.
• -residentKeys -device [number] -domain [domain]: Retrieve resident keys on a specific device for individual accounts or relying parties in the specified domain.
• -delete -device [number] -credential [credential]: Delete a credential on a specific device with the specified credential ID.
• -uvs -device [number]: Enforce user verification to be always requested on a specific device.
• -uvd -device [number]: Disable enforcing user verification to be always requested on a specific device.
• -changePIN -device [number]: Change PIN of a specific device.
• -setPIN -device [number]: Set a PIN of a specific device (for new or freshly reset devices).

Examples

1. List available devices:

   .\fido2-manage.exe -list

2. Retrieve information about a specific device:

   .\fido2-manage.exe -info -device 1

3. Retrieve storage data for credentials (number of resident keys stored and available) on a specific device:

   .\fido2-manage.exe -storage -device 2

4. Retrieve all relying parties (domains) on a specific device:

   .\fido2-manage.exe -residentKeys -device 1  

5. Retrieve resident keys on a specific device for a domain:

   .\fido2-manage.exe -residentKeys -device 1 -domain login.microsoft.com

6. Delete a credential on a specific device:

   .\fido2-manage.exe -delete -device 2 -credential Y+Dh/tSy/Q2IdZt6PW/G1A==

7. Set a PIN on a specific device (for new devices or after a reset):

   .\fido2-manage.exe -device 1 -setPIN

   The tool will ask to enter the PIN twice (confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown

8. Change a PIN on a specific device:

   .\fido2-manage.exe -device 1 -changePIN

   The tool will ask to enter the current PIN and the PIN twice (with confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown

Warning

Deleting a credential is irreversible. The tool will ask for confirmation before proceeding with deletion.

Version History

• 0.2.2 (30-04-2024): Enforcing user verification parameters added (uvs and uvd)
• 0.2.1 (22-04-2024): PIN Code special characters escape
• 0.2 (13-04-2024): NFC Support.
• 0.1 (01-12-2023): Initial version.