fido2-token as a tool for administering MFA tokens
Hi all! I want to talk about the practical application of such a utility as fido2-token. The utility was created to search and manage tokens that work with the FIDO2 standard. I haven’t found any publications on this topic in the Russian-language segment, so I’ll describe my experience of using it. I will not describe the standard itself, but will immediately move on to practical application.
Where to get the utility
In Linux distributions, the utility is present in standard repositories; I’ll show you using my Ubuntu 23 as an example:
sudo apt install fido2-toolsIt's also possible download release on the developer's website. The utility is cross-platform and can be installed on Windows or Mac. For installation questions, you can read Here.
Learn more about the utility's capabilities
Written by the developers good documentation about the capabilities of fido2-token, but I didn’t have enough examples of use and had to spend some time studying.
Basic commands to use
List of connected tokens
$ fido2-token -L
# Выводится список подключенных устройств.
/dev/hidraw5: vendor=0x0a89, product=0x0093 (Aktiv Co. FIDO)To execute all commands, except for obtaining a list of tokens and the utility version, you must specify the parameter device, it can be obtained by calling fido2-token -L. In my case, the device name will be /dev/hidraw5. In all the commands described below, I specify the device name as the last parameter.
Device information
$ fido2-token -I /dev/hidraw5
# Выводится подробная информация о токене
proto: 0x02
major: 0x01
minor: 0x00
build: 0x01
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE, FIDO_2_1
extension strings: credProtect, hmac-secret
transport strings: usb
algorithms: es256 (public-key)
aaguid: aff32171f03fd048e5269324f49316a6
options: rk, up, noplat, credMgmt, clientPin, pinUvAuthToken, makeCredUvNotRqd, credentialMgmtPreview
fwversion: 0x5
maxmsgsiz: 1024
maxcredcntlst: 3
maxcredlen: 48
maxlargeblob: 0
remaining rk(s): 12
pin protocols: 1, 2
pin retries: 8
pin change required: false
uv retries: undefinedSet a pin code to the token
$ fido2-token -S /dev/hidraw5
#Команда работает в случае отформатированного токена. Если на токене уже установлен пин, то будет выведено сообщение fido2-token: fido_dev_set_pin: FIDO_ERR_PIN_AUTH_INVALID
Enter new PIN for /dev/hidraw5:
Enter the same PIN again:Change PIN code
This functionality is only available if the PIN code has been previously set. If the token is formatted and the pin is not set, you will not be able to change it.
$ fido2-token -C /dev/hidraw5
Enter current PIN for /dev/hidraw5:
Enter new PIN for /dev/hidraw5:
Enter the same PIN again:List of entries on the device
$ fido2-token -L -r /dev/hidraw5
Enter PIN for /dev/hidraw5:
00: dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvA= webauthn.io
01: xGzvgq0bVGR3WR0Aiwh1nsPm0uy085R0v+ppaZJdA7c= demo.yubico.com
02: qWaDlfZfrZCqrermCG3TqVPA7xqNOvVJUT/Yc6Jw90c= demoauth.rutoken.ruWhat I don’t like about this command is that we cannot determine how many records on a token belong to a specific site, I will show this later.
View records by ID
#В данном примере для сайта webauth.io создано 2 учетные записи, имена пользователей user1 и user2 соответственно
$ fido2-token -L -k webauthn.io /dev/hidraw5
Enter PIN for /dev/hidraw5:
00: ZZ51+SdC38OKQWC3UO+8JgHOyC87eL0j2w5nScXDJmaEIswiqpPba9I0aVM+k2hr user1 ZFhObGNqRQ== es256 uvopt+id
01: izclAxNXw7+w85WMkY8a+WQ7/Vs11jqDkzftlxJ9+eaZgEUe9yRr4+H6I+U6OcBn user2 ZFhObGNqSQ== es256 uvopt+id
As you can see, for the webauth.io site we have two accounts for users user1 and user2.
Deleting an account
To delete, you need to get the base64 identifier of the entry
#Для начала необходимо получить base64 id учетной записи интересующей нас страницы. Они находятся во втором столбце.
$ fido2-token -L -k webauthn.io /dev/hidraw5
Enter PIN for /dev/hidraw5:
00: ZZ51+SdC38OKQWC3UO+8JgHOyC87eL0j2w5nScXDJmaEIswiqpPba9I0aVM+k2hr user1 ZFhObGNqRQ== es256 uvopt+id
01: izclAxNXw7+w85WMkY8a+WQ7/Vs11jqDkzftlxJ9+eaZgEUe9yRr4+H6I+U6OcBn user2 ZFhObGNqSQ== es256 uvopt+id
$ fido2-token -D -i ZZ51+SdC38OKQWC3UO+8JgHOyC87eL0j2w5nScXDJmaEIswiqpPba9I0aVM+k2hr /dev/hidraw5
Enter PIN for /dev/hidraw5:
#Команда успешно отрабатывает. После этого УЗ успешно удалена. Проверим повторным вызовом $ fido2-token -L -k webauthn.io /dev/hidraw5
$ fido2-token -L -k webauthn.io /dev/hidraw5
Enter PIN for /dev/hidraw5:
00: izclAxNXw7+w85WMkY8a+WQ7/Vs11jqDkzftlxJ9+eaZgEUe9yRr4+H6I+U6OcBn user2 ZFhObGNqSQ== es256 uvopt+idToken formatting
This functionality allows you to completely destroy all KZ on the token, while a PIN code is not required to confirm the operation. I would say that this is nothing more than a rollback to factory settings.
$ fido2-token -R /dev/hidraw5Features of working under Windows
What I didn’t like and what I had to come to terms with was the display name of the token in the system. I'll show you the conclusion fido2-token -L in Win10
fido2-token.exe -L
\\?\hid#vid_1050&pid_0406&mi_00#7&63fc3c9&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}: vendor=0x1050, product=0x0406 (Yubico YubiKey FIDO+CCID)
And to execute any subsequent command you have to enclose the device name string in quotes “\\?\hid#vid_1050&pid_0406&mi_00#7&63fc3c9&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}“
Accordingly, any use in a Windows environment will look like this:
fido2-token.exe -L -k webauth.io "\\?\hid#vid_1050&pid_0406&mi_00#7&63fc3c9&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"Instead of a conclusion
In my opinion, the utility completely covers the administration of FIDO2 devices in various operating systems. The undoubted advantage is cross-platform and full device control. Unlike graphical tools such as the Chrome browser or Windows security keys (Accounts → Sign-in options → Security key), it is possible to delete a specific account and view existing entries.
