FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe


1. Overview:

The FIDO2.1 Security Key Management Tool is a utility designed to manage and interact with FIDO2.1 security keys. It provides functionalities to view information, manage relying parties, and perform various operations on connected FIDO2.1 devices.


Important: This tool requires administrative privileges
Since Windows 10 version 1903, Microsoft has implemented its WebAuthn API to interact with FIDO authenticators. Access from non-administrator accounts is restricted to this API, requiring any tool that manages FIDO keys to be executed with administrative privileges.
Starting from v1.1, this tool supports managing FIDO2.1 devices over NFC transport. Only one NFC reader with a FIDO2.1 device should be present in the system (the tool will only attempt to enumerate/read the first one, appearing as pcsc://slot0). Please note that NFC stability depends on the precise positioning of the NFC card antenna overlapping with the reader's reading area. NFC functionality was tested only using NFC Reader devices provided by Token2.

2. Main Window:

    Devices Dropdown:

    • Displays a list of connected FIDO2.1 devices or NFC Readers.

      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
    • Select a device from the dropdown to view information and manage settings. Use "Refresh" button to show keys plugged in after launching the app.
    • After choosing a device from the list, a valid PIN is necessary to proceed. If no PIN is set, the 'Set PIN' button will be the only active function.

    Device Info Element:

    • Displays information about the selected FIDO2.1 device.
      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
    • Shows the passkey storage information, such as total storage capacity available on the device, used and free passkey slots, etc.
    • Provides details such as manufacturer, model, AAGUID, version, available algorithms, transports, and more. Scroll through the data grid for additional information.
      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe

    Show Passkeys:

    • Opens a new window displaying information about passkeys (resident keys) stored on the selected device.
      FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
    • Please be patient as the list of passkeys is loaded; it may take some time to retrieve the information depending on the number of passkeys and hardware model.
    • Disabled if no device is selected or if the selected device has no passkeys stored.

    Reset Button:

    • Resets the selected FIDO2.1 device to its default state.
    • Resetting a FIDO2.1 key is only possible within 10 seconds after plugging in, so you may need to replug the key when resetting.
    • Requires confirmation and pressing/touching the button before execution.

    Change PIN Button:

    • Opens a new window to change the PIN for the selected device.

    Set PIN Button:

    • Opens a new window to set the PIN for the selected device.
    • Enabled only if the selected key does not have a PIN set.

    Enforce UV Button:

    • Opens a new window to set enable the enforced user verification (UV) parameter of the key. Please note that only the FID2.1.Final keys support this feature
    • If the PIN is asked, this means the UV was previously not enabled, and entering a valid PIN in this window, will activate this feature. If no PIN is asked, UV is already enabled and no action is needed. For security keys not supporting this feature (older firmware), this error will be shown: 'config_always_uv: option not found'

    Refresh Button:

    • Updates the list of connected FIDO2.1 devices in the dropdown (i.e. plugged after the app is launched).

3. Passkeys Window:

  • Displays a list of passkeys stored with the selected FIDO2.1 device.
    FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe
  • To remove a passkey, select the row in the list and click on Delete
  • Passkey removal requires confirmation before execution. To complete the removal, press 'Y' on the keyboard when the console prompt, as shown below, appears.
    FIDO2.1 Security Key Management Tool - GUI for fido2-manage.exe

4. Limitations:

  • This tool interacts only with FIDO2.1 security keys.
  • Only USB and NFC transports are currently supported.
  • NFC support is available starting from v1.1 of this tool. NFC functionality was tested only using NFC Reader devices provided by Token2.
  • The tool currently supports PIN authentication only.

5. Download Section


Some of our exe files trigger false positives on VirusTotal. We're addressing this with AV providers. Meanwhile, find PowerShell source codes on our GitHub for compiling your own exe files:

fido2-manage.ps1

6. FAQ:

Q: Is this for Token2 devices only?
A: No, being a member of FIDO Alliance, we try to make tools usable with any devices compliant with the current standards. This tool can be used with any FIDO2.1 security key, not only ours.

Q: My Google Titan v2 is not working with your tool.
A: Google Titan v2 is a FIDO2.0 device. Our tool only supports FIDO2.1 standard. From v1.2.1, the tool will display basic information about FIDO2.0 keys, but be aware that FIDO2.0 does not allow passkey management.

Q: Is this Token2's original software? Why was this created?
A: This is simply a GUI wrapper of a libfido2 based command-line utility. The need raised from the fact that there is currently no standalone FIDO2.1 passkey management tool for Windows available. Our customers were not comfortable using command line tools or Chromium-based management methods - this tool is to address these needs. 

Version History

  • 1.2.3 (07-06-2024): Showing UPN in the passkeys table and partial support for extended Latin chars (umlauts)
  • 1.2.2 (03-06-2024): Enforcing user verification (always_uv) was added as a GUI button
  • 1.2.1 (11-05-2024): Basic info will be displayed for FIDO2.0 devices, as passkeys cannot be managed with FIDO2.0.
  • 1.2 (22-04-2024): PIN Code characters related fixes.
  • 1.1 (13-04-2024): NFC Transport support.
  • 1.0 (05-02-2024): Initial version.