Managing T2F2 FIDO2 keys under macOS or Linux

T2F2 FIDO2 keys can be managed using different methods, including the built-in Windows 10/11 control panel applet. If you are using macOS or Linux, you can manage your FIDO2 keys using the tools integrated into the latest Chromium based browsers, such as Google Chrome (starting from v80).

This guide covers the Chromium-based tool only. We also offer an open-source tool for managing FIDO2 keys on Linux and macOS. 


You can use the same functionality on Chrome running under Windows 1909 or later, however by default Google chrome relies on Windows API for managing the FIDO2 keys, so you need to disable this functionality by running Chrome with "--disable-features=WebAuthenticationUseNativeWinApi" flag (this has to be run as Administrator)

To access the security key management interface, go to Settings

Managing T2F2 FIDO2 keys under macOS or Linux

Then click on "Privacy and Security", and choose "Security"
Managing T2F2 FIDO2 keys under macOS or Linux

And then click on "Manage Security Keys" option:

Managing T2F2 FIDO2 keys under macOS or Linux

This will open the list of possible operations as shown below:

Managing T2F2 FIDO2 keys under macOS or Linux


Creating a PIN

To create a PIN on your FIDO2 key, click on "Create a PIN" link:
Managing T2F2 FIDO2 keys under macOS or Linux

When prompted, touch or press the button on your T2F2 security key. On the next windows, enter a numeric PIN code:
Managing T2F2 FIDO2 keys under macOS or Linux

After clicking on Save, your FIDO2 key will be protected with the PIN code you defined here. Please note that this PIN code will be required to perform all the remaining operations described in this article, except resetting the key. After 3 wrong PIN attempts, the system will ask you to unplug and plug the key back in. If subsequent PIN attempts are invalid as well, the authenticator has to be reset (all keys are erased) to be used again.


Adding a fingerprint

FIDO2 keys with biometric support can be optionally be protected with fingerprints in addition to PIN codes. Click on "Fingerprints", then "Add" to enroll your first fingerprint:
Managing T2F2 FIDO2 keys under macOS or Linux

To complete adding the fingerprint, the tool will ask you to keep touching the sensor until a checkbox icon is shown as below:
Managing T2F2 FIDO2 keys under macOS or Linux

As you can add multiple fingerprints, there is a possibility to name them, so you can manage them later (i.e. delete or re-add a different finger etc.)
Managing T2F2 FIDO2 keys under macOS or Linux

Click on "Continue" to finish adding the fingerprint.

Sign-in Data

This feature is available for security keys running FIDO2.1pre firmware version and allows managing user credentials separately. I.e. if you have enrolled the same key into two different Office 365 tenants (i.e. token2.ch and token2.fr) and want to remove only one, this is possible using "Sign-in Data" setting only.
Managing T2F2 FIDO2 keys under macOS or Linux

Please note that the same operation is not possible with FIDO2.0 keys, you will have to either reset the key completely (which will delete all stored credentials) or remove the FIDO2 key enrollment at the server side (in Azure AD (Microsoft Entra ID)).


Reset your security key

To reset your security key, you can use this option. The operation will not require any PIN, but will remove all credentials and website associations stored on the device.