Tools

Tools for programmable tokens

      Tools for FIDO keys       

Virtual tokens and converters

FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe

FIDO2 Keys can be managed and configured using standard operating systems tools. No special tool installation is needed to start using the FIDO keys, as most modern browsers will prompt to set a PIN when required, and both authentication and enrollment are handled through the browser's standard API. Additional tools may only be needed for specific tasks, such as changing the PIN, viewing or deleting passkeys, enforcing PIN entry, resetting, and other advanced configurations.

Overview:

The FIDO2.1 Security Key Management Tool is a utility designed to manage and interact with FIDO2.1 security keys. It provides functionalities to view information, manage relying parties, and perform various operations on connected FIDO2.1 devices.



Important: This tool requires administrative privileges
Since Windows 10 version 1903, Microsoft has implemented its WebAuthn API to interact with FIDO authenticators. Access from non-administrator accounts is restricted to this API, requiring any tool that manages FIDO keys to be executed with administrative privileges.
Starting from v1.1, this tool supports managing FIDO2.1 devices over NFC transport. Only one NFC reader with a FIDO2.1 device should be present in the system (the tool will only attempt to enumerate/read the first one, appearing as pcsc://slot0). Please note that NFC stability depends on the precise positioning of the NFC card antenna overlapping with the reader's reading area. NFC functionality was tested only using NFC Reader devices provided by Token2.

Main Window:

    Devices Dropdown:

    • Displays a list of connected FIDO2.1 devices or NFC Readers.

      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
    • Select a device from the dropdown to view information and manage settings. Use "Refresh" button to show keys plugged in after launching the app.
    • After choosing a device from the list, a valid PIN is necessary to proceed. If no PIN is set, the 'Set PIN' button will be the only active function.

    Device Info Element:

    • Displays information about the selected FIDO2.1 device.
      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
    • Shows the passkey storage information, such as total storage capacity available on the device, used and free passkey slots, etc.
    • Provides details such as manufacturer, model, AAGUID, version, available algorithms, transports, and more. Scroll through the data grid for additional information.
      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe

    Show Passkeys:

    • Opens a new window displaying information about passkeys (resident keys) stored on the selected device.
      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
    • Please be patient as the list of passkeys is loaded; it may take some time to retrieve the information depending on the number of passkeys and hardware model.
    • Disabled if no device is selected or if the selected device has no passkeys stored.

    Reset Button:

    • Resets the selected FIDO2.1 device to its default state.
    • Resetting a FIDO2.1 key is only possible within 10 seconds after plugging in, so you may need to replug the key when resetting.
    • Requires confirmation and pressing/touching the button before execution.

    Change PIN Button:

    • Opens a new window to change the PIN for the selected device.

    Set PIN Button:

    • Opens a new window to set the PIN for the selected device.
    • Enabled only if the selected key does not have a PIN set.

    Enforce UV Button:

    • Opens a new window to set enable the enforced user verification (UV) parameter of the key. Please note that only the FID2.1.Final keys support this feature
    • If the PIN is asked, this means the UV was previously not enabled, and entering a valid PIN in this window, will activate this feature. If no PIN is asked, UV is already enabled and no action is needed. For security keys not supporting this feature (older firmware), this error will be shown: 'config_always_uv: option not found'

    Refresh Button:

    • Updates the list of connected FIDO2.1 devices in the dropdown (i.e. plugged after the app is launched).

Passkeys Window:

  • Displays a list of passkeys stored with the selected FIDO2.1 device.
    FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
  • To remove a passkey, select the row in the list and click on Delete
  • Passkey removal requires confirmation before execution. To complete the removal, press 'Y' on the keyboard when the console prompt, as shown below, appears.
    FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
  • Click 'Refresh' on the Passkey dialog window to see the updated list

Fingerprint Management

For biometric keys, you can use the fingerprint management feature in this application. This feature lets you list, add, and delete fingerprints on your device.
Please note that for many actions involving fingerprint-enabled security keys, you may be prompted to swipe your finger in addition to entering the PIN code. Pay attention to the LED lights on the key for guidance.
If you click on the "fingerprints " button, the fingerprints will be automatically listed in a table when you open the window.

FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe


Adding a Fingerprint

  • In the fingerprint window, click the "Add" button. This will open a console window asking you to enter your PIN to confirm the operation.
  • Place your finger on the sensor. The tool will request four samples of the same fingerprint.
  • To add another fingerprint (other fingers), repeat the process. You can also add the same finger at different angles.

FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe

Most FIDO2 keys allow adding more than 10 fingerprints. With Token2 keys, you can add up to 29 fingerprints. If you reach this limit, the error  FIDO_ERR_KEY_STORE_FULL will be shown.

Deleting a Fingerprint

  • In the fingerprint window, click the "Delete" button. This will open a console window asking you to enter your PIN and confirm the operation.
  • Confirm your operation to delete the fingerprint.

If the deletion is successful, the fingerprint will be removed from the device. If there are any issues, an error message will be displayed.

 

Note: After the first fingerprint is enrolled, managing biometric FIDO keys with this tool may require both a fingerprint swipe on the sensor and the entry of a PIN code. If the fingerprint is not recognized after several attempts, the entered PIN code will be used. This is a technical limitation of FIDO keys; they always require a valid fingerprint before a PIN can be used. This limitation is observed with the latest firmware only (2.1.final) .

To enroll a new fingerprint you can also use the command line option:
fido2-manage.[exe] -fingerprint -device [number]


Limitations:

  • This tool interacts only with FIDO2.1 security keys.
  • Only USB and NFC transports are currently supported. Starting from v1.2.7, managing FIDO2 cards via iso-7816 interface (contact interface) is possible as well.
  • NFC support is available starting from v1.1 of this tool. NFC functionality was tested only using NFC Reader devices provided by Token2.

Download


This tool is part of the fido2-manage.cpp project, which includes both a command-line utility and a GUI wrapper. The project is fully open-source.
Executables     Source-code

FAQ

Q: Is this for Token2 devices only?
A: No, being a member of FIDO Alliance, we try to make tools usable with any devices compliant with the current standards. This tool can be used with any FIDO2.1 security key, not only ours.

Q: My Google Titan v2 is not working with your tool.
A: Google Titan v2 is a FIDO2.0 device. Our tool only supports FIDO2.1 standard. From v1.2.1, the tool will display basic information about FIDO2.0 keys, but be aware that FIDO2.0 does not allow passkey management.

Q: Is this Token2's original software? Why was this created?
A: This is simply a GUI wrapper of a libfido2 based command-line utility. The need raised from the fact that there is currently no standalone FIDO2.1 passkey management tool for Windows available. Our customers were not comfortable using command line tools or Chromium-based management methods - this tool is to address these needs. 

Q: Why I don't see my PIN Being entered?
The console commands provide no visual feedback, such as asterisks or dots, when entering a PIN or password on both Linux and Windows to enhance security by minimizing the risk of exposing sensitive information through visual cues. This consistent behavior across operating systems ensures a uniform approach to password entry, prioritizing security over user convenience.

Version History

  • 1.2.7 (30-11-2024): Complete code rewrite in C++
  • 1.2.5 (18-07-2024): Fingerprint Management for Biometric FIDO2.1 Keys
  • 1.2.4 (14-07-2024): Fixed PowerShell-reserved characters ({, } etc.) in passkeys dialog
  • 1.2.3 (07-06-2024): Showing UPN in the passkeys table and partial support for extended Latin chars (umlauts)
  • 1.2.2 (03-06-2024): Enforcing user verification (always_uv) was added as a GUI button
  • 1.2.1 (11-05-2024): Basic info will be displayed for FIDO2.0 devices, as passkeys cannot be managed with FIDO2.0.
  • 1.2 (22-04-2024): PIN Code characters related fixes.
  • 1.1 (13-04-2024): NFC Transport support.
  • 1.0 (05-02-2024): Initial version.