FIDO2 Token Management Tool - fido2-manage.exe
The FIDO2 Token Management Tool (
fido2-manage.exe) is a command-line wrapper tool designed to interact with the
libfido2 tool, providing a convenient way to perform various operations related to FIDO2 tokens.
Running the tool
Open command prompt as administrator and navigate to the directory containing the tool. Execute the tool by running the following command:
The tool supports the following parameters:
-list: List available devices. Please note that if you plug in only one FIDO2 device, the device number to be used is always 1
-info -device [number]: Retrieve information about a specific device.
-storage -device [number]: Retrieve storage for credentials on a specific device.
-residentKeys -device [number]: Retrieve a list of the relying parties on the device.
-residentKeys -device [number] -domain [domain]: Retrieve resident keys on a specific device for individual accounts or relying parties in the specified domain.
-delete -device [number] -credential [credential]: Delete a credential on a specific device with the specified credential ID.
-changePIN -device [number]: Change PIN of a specific device.
-setPIN -device [number]: Set a PIN of a specific device (for new or freshly reset devices).
List available devices:
Retrieve information about a specific device:
.\fido2-manage.exe -info -device 1
Retrieve storage data for credentials (number of resident keys stored and available) on a specific device:
.\fido2-manage.exe -storage -device 2
Retrieve all relying parties (domains) on a specific device:
.\fido2-manage.exe -residentKeys -device 1
Retrieve resident keys on a specific device for a domain:
.\fido2-manage.exe -residentKeys -device 1 -domain login.microsoft.com
Delete a credential on a specific device:
.\fido2-manage.exe -delete -device 2 -credential Y+Dh/tSy/Q2IdZt6PW/G1A==
Set a PIN on a specific device (for new devices or after a reset):
.\fido2-manage.exe -device 1 -setPIN
The tool will ask to enter the PIN twice (confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown
Change a PIN on a specific device:
.\fido2-manage.exe -device 1 -changePIN
The tool will ask to enter the current PIN and the PIN twice (with confirmation). In case PIN lentgh or complexity requirements are not met a FIDO_ERR_PIN_POLICY_VIOLATION will be shown
Deleting a credential is irreversible. The tool will ask for confirmation before proceeding with deletion.
Good to Know
- The FIDO2 Token Management Tool (
fido2-manage.exe) is versatile and can be used with any FIDO2 keys, not limited to those purchased from our company. This flexibility allows users to manage and interact with a wide range of FIDO2 devices, enhancing the tool's usability across different hardware providers.
- When using the
-listparameter to display available devices, it's important to note that in some cases, the tool may show the platform authenticator or Windows Hello as a separate key. However, due to technical limitations, these keys cannot be managed using this tool.
- The tool is primarily designed for managing traditional external FIDO2 devices. If you encounter platform authenticators or Windows Hello in the list, be aware that they fall outside the tool's scope for management operations.
Users should rely on the respective platform settings for managing these types of authenticators.
- For all tool operations, it is imperative to run
fido2-manage.exein administrator mode. Open the command prompt as an administrator and navigate to the directory containing the tool to execute commands successfully.
- Whether you have FIDO2 keys from our company or another vendor, the tool provides a standardized command-line interface for performing various operations, such as listing available devices, retrieving information, managing storage, and more.
- Make sure to follow the appropriate device-specific guidelines and security practices, especially when dealing with sensitive operations like setting or changing PINs and deleting credentials.
- 0.1 (2023-12-01): Initial version.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!