Tools

Tools for programmable tokens

      Tools for FIDO keys       

Virtual tokens and converters

FIDO2 Token Management Tool - fido2-manage.exe

Overview

The FIDO2 Token Management Tool (fido2-manage.exe) is a command-line wrapper tool designed to interact with the libfido2 tool, providing a convenient way to perform various operations related to FIDO2 tokens.




Running the tool

Open command prompt as administrator and navigate to the directory containing the tool. Execute the tool by running the following command:

.\fido2-manage.exe [parameters]

Tool Parameters

The tool supports the following parameters:

  • -list: List available devices. Please note that if you plug in only one FIDO2 device, the device number to be used is always 1
  • -info -device [number]: Retrieve information about a specific device.
  • -storage -device [number]: Retrieve storage for credentials on a specific device.
  • -residentKeys -device [number] : Retrieve a list of the relying parties on the device.
  • -residentKeys -device [number] -domain [domain]: Retrieve resident keys on a specific device for individual accounts or relying parties in the specified domain.
  • -delete -device [number] -credential [credential]: Delete a credential on a specific device with the specified credential ID.
  • -changePIN -device [number]: Change PIN of a specific device.
  • -setPIN -device [number]: Set a PIN of a specific device (for new or freshly reset devices).
  • -reset -device [number]: Performs a factory reset of a specific device (please note that this operation has to be performed within 10 seconds after plugging the key in. Important: factory reset will remove all configuration, including all passkeys and current PIN code).


Examples

  1. List available devices:

    .\fido2-manage.exe -list

  2. Retrieve information about a specific device:

    .\fido2-manage.exe -info -device 1

  3. Retrieve storage data for credentials (number of resident keys stored and available) on a specific device:

    .\fido2-manage.exe -storage -device 2

  4. Retrieve all relying parties (domains) on a specific device:

    .\fido2-manage.exe -residentKeys -device 1

  5. Retrieve resident keys on a specific device for a domain:

    .\fido2-manage.exe -residentKeys -device 1 -domain login.microsoft.com

  6. Delete a credential on a specific device:

    .\fido2-manage.exe -delete -device 2 -credential Y+Dh/tSy/Q2IdZt6PW/G1A==

  7. Set a PIN on a specific device (for new devices or after a reset):

    .\fido2-manage.exe -device 1 -setPIN

    The tool will ask to enter the PIN twice (confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown

  8. Change a PIN on a specific device:

    .\fido2-manage.exe -device 1 -changePIN

    The tool will ask to enter the current PIN and the PIN twice (with confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown

Warning

Deleting a credential is irreversible. The tool will ask for confirmation before proceeding with deletion.

Good to Know

  • The FIDO2 Token Management Tool (fido2-manage.exe) is versatile and can be used with any FIDO2 keys, not limited to those purchased from our company. This flexibility allows users to manage and interact with a wide range of FIDO2 devices, enhancing the tool's usability across different hardware providers.
  • When using the -list parameter to display available devices, it's important to note that in some cases, the tool may show the platform authenticator or Windows Hello as a separate key. However, due to technical limitations, these keys cannot be managed using this tool.
  • The tool is primarily designed for managing traditional external FIDO2 devices. If you encounter platform authenticators or Windows Hello in the list, be aware that they fall outside the tool's scope for management operations.

    Users should rely on the respective platform settings for managing these types of authenticators.
  • For all tool operations, it is imperative to run fido2-manage.exe in administrator mode. Open the command prompt as an administrator and navigate to the directory containing the tool to execute commands successfully.
  • Whether you have FIDO2 keys from our company or another vendor, the tool provides a standardized command-line interface for performing various operations, such as listing available devices, retrieving information, managing storage, and more.
  • Make sure to follow the appropriate device-specific guidelines and security practices, especially when dealing with sensitive operations like setting or changing PINs and deleting credentials.

Download


Version History

  • 0.2.1 (22-04-2024): PIN Code special characters escape
  • 0.2 (13-04-2024): NFC Support.
  • 0.1 (01-12-2023): Initial version.