FIDO2 commands

For each possible U2F command, there will be a class that knows how to build the command APDU and parse the data in the response APDU. Each class will know what information is needed from the caller for that command.

List of FIDO2 commands

• Version
• Get Info
• Get Key Agreement (get a public key)
• Set PIN
• Change PIN
• Get PIN Token
• Get PIN/UV Auth Token Using PIN
• Get PIN/UV Auth Token Using UV
• Make credential
• Get Assertion
• Get Next Assertion
• Get Credential Metadata
• Enumerate RPs Begin
• Enumerate RPs Get Next RP
• Get Large Blob
• Set Large Blob
• Reset

---

Get version

Get the YubiKey's version number.

Available

All YubiKeys with the FIDO2 application.

SDK classes

--VersionCommand--xref:Yubico.YubiKey.Fido2.Commands.VersionCommand--

--VersionResponse--xref:Yubico.YubiKey.Fido2.Commands.VersionResponse--

Input

None.

Output

FirmwareVersion

APDU

Technical APDU Details

---

Get info

Get information about the YubiKey's FIDO2 application.

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetInfoCommand

GetInfoResponse

Input

None.

Output

AuthenticatorInfo

Also see the FIDO2 CTAP standard (CTAP 2.1), section 6.4 for a list of possible elements returned.

The standard specifies 21 possible elements an authenticator can return from a GetInfo command. Most of the elements are optional, so that any one encoding may or may not have the same subset of possible key/value pairs.

The YubiKey can return up to 20 of the defined elements. It will not return vendorPrototypeConfigCommands.

APDU

Technical APDU Details

---

Get key agreement

Get the YubiKey's public key that will be used to perform key agreement. The shared secret result of key agreement will be used to derive a shared key used for PIN operations.

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetKeyAgreementCommand

GetKeyAgreementResponse

Input

The PIN/UV Auth Protocol.

Output

The FIDO2 COSE EC Public Key

APDU

Technical APDU Details

---

Set PIN

Set the YubiKey's FIDO application to be PIN-protected.

Available

All YubiKeys with the FIDO2 application.

SDK classes

SetPinCommand

SetPinResponse

Input

A Protocol object and the PIN.

Output

None

APDU

Technical APDU Details

---

Change PIN

Change the YubiKey's FIDO application's PIN.

Available

All YubiKeys with the FIDO2 application.

SDK classes

ChangePinCommand

ChangePinResponse

Input

A Protocol object, the current PIN and the new PIN.

Output

None

APDU

Technical APDU Details

---

Get PIN token

Get a PIN token, which can be used in later operations such as Make Credential.

There are actually three versions of "Get PIN Token":

• getPinToken
• getPinUvAuthTokenUsingPinWithPermissions
• getPinUvAuthTokenUsingUvWithPermissions

The SDK has three different command classes to call each of the three operations:

• GetPinTokenCommand
• GetPinUvAuthTokenUsingPinCommand
• GetPinUvAuthTokenUsingUvCommand

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetPinTokenCommand

GetPinUvAuthTokenResponse

Input

• The PIN/UV Auth Protocol
• The PIN

Output

The encrypted token as a byte array.

APDU

Technical APDU Details

---

Get PIN/UV Auth token using PIN

Get A PIN/UV Auth token, to be used in later operations such as Make Credential.

There are actually three versions of "Get PIN Token":

• getPinToken
• getPinUvAuthTokenUsingPinWithPermissions
• getPinUvAuthTokenUsingUvWithPermissions

The SDK has three different command classes to call each of the three operations:

• GetPinTokenCommand
• GetPinUvAuthTokenUsingPinCommand
• GetPinUvAuthTokenUsingUvCommand

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetPinUvAuthTokenUsingPinCommand

GetPinUvAuthTokenResponse

Input

• The PIN/UV Auth Protocol
• The PIN
• A bit field listing the permissions
• An optional relying party ID (rpId)

Output

The encrypted token as a byte array.

APDU

Technical APDU Details

---

Get PIN/UV Auth token using user verification (UV)

Get A PIN/UV Auth token, to be used in later operations such as Make Credential.

There are actually three versions of "Get PIN Token":

• getPinToken
• getPinUvAuthTokenUsingPinWithPermissions
• getPinUvAuthTokenUsingUvWithPermissions

The SDK has three different command classes to call each of the three operations:

• GetPinTokenCommand
• GetPinUvAuthTokenUsingPinCommand
• GetPinUvAuthTokenUsingUvCommand

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetPinUvAuthTokenUsingUvCommand

GetPinUvAuthTokenResponse

Input

• The PIN/UV Auth Protocol
• A bit field listing the permissions
• An optional relying party ID (rpId)

Output

The encrypted token as a byte array.

APDU

Technical APDU Details

---

Make credential

Make a credential for a relying party.

Available

All YubiKeys with the FIDO2 application.

SDK classes

MakeCredentialCommand

MakeCredentialResponse

Input

The authenticatorMakeCredential parameters specified in section 6.1 of the FIDO2 specifications.

Output

The credential (public key) and other information.

MakeCredentialData

APDU

Technical APDU Details

---

Get assertion

Get an assertion (credential) that will be verified by a relying party.

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetAssertionCommand

GetAssertionResponse

Input

The authenticatorGetAssertion parameters specified in section 6.2 of the FIDO2 specifications.

GetAssertionParameters

Output

The credential, along with other information.

GetAssertionData

APDU

Technical APDU Details

---

Get next assertion

Get the next assertion (credential) associated with the relying party specified in a previous call to [Get Assertion])(get-assertion).

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetNextAssertionCommand

GetAssertionResponse

Note that the response to GetNextAssertion is the same as the response to GetAssertion.

Input

None.

Output

The credential, along with other information.

GetAssertionData

APDU

Technical APDU Details

---

Get credential metadata

Get information about the credentials on the YubiKey. This is one of the subcommands of the authenticatorCredentialManagement command.

Not all YubiKeys support credential management. If you send this command to a YubiKey that does not support it, the response will be "Unsupported option".

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetCredentialMetadataCommand

GetCredentialMetadataResponse

Input

A PIN/UV auth token (built using the "cm" permission), and the protocol used to build the token.

Output

The number of existing discoverable credentials on the YubiKey, and the maximum number of additional credentials the YubiKey can store.

The data is returned in the form of a Tuple of two integers.

APDU

Technical APDU Details

---

Enumerate RPs begin

Get the total number of RPs that can be found along with information about the first relying party (RP) represented by the credentials on the YubiKey . This is one of the subcommands of the authenticatorCredentialManagement command.

Not all YubiKeys support credential management. If you send this command to a YubiKey that does not support it, the response will be "Unsupported option".

Available

All YubiKeys with the FIDO2 application.

SDK classes

EnumerateRpsBeginCommand

EnumerateRpsBeginResponse

Input

A PIN/UV auth token (built using the "cm" permission), and the protocol used to build the token.

Output

Information about the first RP on the YubiKey, and the total number of RPs represented.

The data is returned in the form of a Tuple consisting of an integer and a RelyingParty object.

APDU

Technical APDU Details

---

Enumerate RPs get next RP

Get information about the next relying party (RP) represented by the credentials on the YubiKey. This is one of the subcommands of the authenticatorCredentialManagement command.

Not all YubiKeys support credential management. If you send this command to a YubiKey that does not support it, the response will be "Unsupported option".

Available

All YubiKeys with the FIDO2 application.

SDK classes

EnumerateRpsGetNextCommand

EnumerateRpsGetNextResponse

Input

none (but this command must follow the EnumerateRpsBeginCommand)

Output

The next RP on the YubiKey. The call to EnumerateRpsBeginCommand returned the first RP. If there are more RPs, each successive call to EnumerateRpsGetNextCommand returns the next one.

The data is returned in the form of a RelyingParty object.

APDU

Technical APDU Details

---

Get large blob

Get the large blob data out of the YubiKey. This command gets the raw data, it does not perform any parsing or decoding.

Not all YubiKeys support large blobs. If you send this command to a YubiKey that does not support it, the response will be "Unsupported extension".

Available

All YubiKeys with the FIDO2 application.

SDK classes

GetLargeBlobCommand

GetLargeBlobResponse

Input

offset and count

Because a large blob can be bigger than the maximum message length, it is possible retrieving the entire data will require more than one call. The offset specifies the offset in the large blob data on the YubiKey where the returned data should begin. The first call specifies an offset of zero, and each subsequent call specifies an offset of the total number of bytes returned so far by each previous call.

The count is the number of bytes requested this call. This value must be less than or equal to the "maximum fragment length". There is a maximum message size (specified by the YubiKey and found in the AuthenticatorInfo) and the MaxFragmentLength is the MaxMessageSize - 64.

Output

The bytes the YubiKey was able to return. This is in the form of a ReadOnlyMemory<byte>. If the number of bytes returned is less than the count given, then there are no more bytes to return. If the number is equal to the count, there could be more bytes on the YubiKey, and the caller should send another command.

APDU

Technical APDU Details

---

Set large blob

Store large blob data on the YubiKey. This command stores the data given, it does not perform any encoding. This replaces any data currently in the large blob storage area on the YubiKey.

Not all YubiKeys support large blobs. If you send this command to a YubiKey that does not support it, the response will be "Unsupported extension".

Available

All YubiKeys with the FIDO2 application.

SDK classes

SetLargeBlobCommand

SetLargeBlobResponse

Input

data to store, offset, count, PinUvAuthParam, PinProtocol

Because a large blob can be bigger than the maximum message length, it is possible storing the entire data will require more than one call. The offset specifies the offset in the large blob data on the YubiKey where the input data should be stored. The first call specifies an offset of zero, and each subsequent call specifies an offset of the total number of bytes stored so far by each previous call.

The count is the total number of bytes that will be stored. That is, it is the sum of all the lengths of bytes stored by each call. The first time the set command is called, the offset is zero and the count is the total number of bytes. Each subsequent call the offset is where the previous call left off and the count is ignored.

Each block of input must be less than or equal to maxFragmentLength bytes (MaxMessageSize - 64).

The caller need authorization to store, and obtains that by generating a PinUvAuthParam.

Output

None

APDU

Technical APDU Details

---

Reset

Reset the FIDO2 application on a YubiKey. This will delete all existing FIDO2 keys and credentials, and remove the PIN.

It is not sufficient to simply execute this command in order to reset, it must be done within a time limit of inserting a YubiKey and must be accompanied by a proof of user presence (touch).

Available

All YubiKeys with the FIDO2 application.

SDK classes

ResetCommand

ResetResponse

Input

None.

Output

None

APDU

Technical APDU Details

---