FIDO2 Token Management Tool - fido2-manage.exe

Overview

The FIDO2 Token Management Tool (fido2-manage.exe) is a command-line wrapper tool designed to interact with the libfido2 tool, providing a convenient way to perform various operations related to FIDO2 tokens.




Running the tool

Open command prompt as administrator and navigate to the directory containing the tool. Execute the tool by running the following command:

.\fido2-manage.exe [parameters]

Tool Parameters

The tool supports the following parameters:

  • -list: List available devices. Please note that if you plug in only one FIDO2 device, the device number to be used is always 1
  • -info -device [number]: Retrieve information about a specific device.
  • -storage -device [number]: Retrieve storage for credentials on a specific device.
  • -residentKeys -device [number] : Retrieve a list of the relying parties on the device.
  • -residentKeys -device [number] -domain [domain]: Retrieve resident keys on a specific device for individual accounts or relying parties in the specified domain.
  • -delete -device [number] -credential [credential]: Delete a credential on a specific device with the specified credential ID.
  • -uvs -device [number]: Enforce user verification to be always requested on a specific device.
  • -uvd -device [number]: Disable enforcing user verification to be always requested on a specific device.
  • -changePIN -device [number]: Change PIN of a specific device.
  • -setPIN -device [number]: Set a PIN of a specific device (for new or freshly reset devices).
  • -reset -device [number]: Performs a factory reset of a specific device (please note that this operation has to be performed within 10 seconds after plugging the key in. Important: factory reset will remove all configuration, including all passkeys and current PIN code).


Examples

  1. List available devices:

    .\fido2-manage.exe -list
  2. Retrieve information about a specific device:

    .\fido2-manage.exe -info -device 1
  3. Retrieve storage data for credentials (number of resident keys stored and available) on a specific device:

    .\fido2-manage.exe -storage -device 2
  4. Retrieve all relying parties (domains) on a specific device:

    .\fido2-manage.exe -residentKeys -device 1  
  5. Retrieve resident keys on a specific device for a domain:

    .\fido2-manage.exe -residentKeys -device 1 -domain login.microsoft.com
  6. Delete a credential on a specific device:

    .\fido2-manage.exe -delete -device 2 -credential Y+Dh/tSy/Q2IdZt6PW/G1A==
  7. Set a PIN on a specific device (for new devices or after a reset):

    .\fido2-manage.exe -device 1 -setPIN

    The tool will ask to enter the PIN twice (confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown


  8. Change a PIN on a specific device:

    .\fido2-manage.exe -device 1 -changePIN

    The tool will ask to enter the current PIN and the PIN twice (with confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown


  9. Enforce user verification to be always requested on a specific device:

    .\fido2-manage.exe -device 1 -uvs

    The tool will prompt the user to enter the current PIN if the parameter is being changed (i.e., if user verification has not already been enabled). If a PIN is not required, it indicates that the command will not alter anything. Please note that this feature is available for FIDO2.1 keys (and not FIDO2.1.PRE or earlier). If the key does not support enforcing user verification, an error will be returned ("config_always_uv: option not found")
    To disable enforcing user verification, issue the command below:

    .\fido2-manage.exe -device 1 -uvd


Warning

Deleting a credential is irreversible. The tool will ask for confirmation before proceeding with deletion.

Good to Know

  • The FIDO2 Token Management Tool (fido2-manage.exe) is versatile and can be used with any FIDO2 keys, not limited to those purchased from our company. This flexibility allows users to manage and interact with a wide range of FIDO2 devices, enhancing the tool's usability across different hardware providers.
  • When using the -list parameter to display available devices, it's important to note that in some cases, the tool may show the platform authenticator or Windows Hello as a separate key. However, due to technical limitations, these keys cannot be managed using this tool.
  • The tool is primarily designed for managing traditional external FIDO2 devices. If you encounter platform authenticators or Windows Hello in the list, be aware that they fall outside the tool's scope for management operations.

    Users should rely on the respective platform settings for managing these types of authenticators.
  • For all tool operations, it is imperative to run fido2-manage.exe in administrator mode. Open the command prompt as an administrator and navigate to the directory containing the tool to execute commands successfully.
  • Whether you have FIDO2 keys from our company or another vendor, the tool provides a standardized command-line interface for performing various operations, such as listing available devices, retrieving information, managing storage, and more.
  • Make sure to follow the appropriate device-specific guidelines and security practices, especially when dealing with sensitive operations like setting or changing PINs and deleting credentials.

Download


Some of our exe files trigger false positives on VirusTotal. We're addressing this with AV providers. Meanwhile, find PowerShell source codes on our GitHub for compiling your own exe files:

fido2-manage.ps1


Version History

  • 0.2.3 (07-06-2024): Showing UPN in the passkeys table and partial support for extended Latin chars (umlauts)
  • 0.2.2 (30-04-2024): Enforcing user verification parameters added (-uvs and -uvd)
  • 0.2.1 (22-04-2024): PIN Code special characters escape
  • 0.2 (13-04-2024): NFC Support.
  • 0.1 (01-12-2023): Initial version.