Fido2Session Class

Namespace: Yubico.YubiKey.Fido2 Assembly: Yubico.YubiKey.dll

Represents an active session with the FIDO2 application on the YubiKey.

C#

public sealed class Fido2Session

Inheritance object Fido2Session

Remarks

When you need to perform FIDO2 operations, instantiate this class to create a session, then call on methods within the class.

Generally, you will choose the YubiKey to use by building an instance of IYubiKeyDevice. This object will represent the actual YubiKey hardware.

IYubiKeyDevice SelectYubiKey()
{
    IEnumerable<IYubiKeyDevice> yubiKeyList = YubiKey.FindAll();
    foreach (IYubiKeyDevice current in yubiKeyList)
    {
        /* Determine which YubiKey to use */
    if (selected)
    {
        return current;
    }
}

}

Once you have the YubiKey to use, you will build an instance of this Fido2Session class to represent the FIDO2 application on the hardware. Because this class implements IDisposable, use the using keyword. For example,

IYubiKeyDevice yubiKeyToUse = SelectYubiKey();
using (var fido2 = new Fido2Session(yubiKeyToUse))
{
    /* Perform FIDO2 operations. */
}

If this class is used as part of a using expression or statement, when the session goes out of scope, the Dispose method will be called to dispose of the active FIDO2 session. This will clear any application state, and ultimately release the connection to the YubiKey.

Constructors

Name	Description
Fido2Session(IYubiKeyDevice)	Creates an instance of Fido2Session, the object that represents the FIDO2 application on the YubiKey.

Properties

Name	Description
AuthProtocol	The PIN protocol to use for all operations on this session instance.
AuthToken	The current PIN / UV Auth token, if present.
AuthTokenPermissions	The set of permissions associated with the AuthToken.
AuthTokenRelyingPartyId	The relying party ID associated with the permissions.
AuthenticatorInfo	The FIDO2 AuthenticatorInfo for the connected YubiKey.
Connection	The object that represents the connection to the YubiKey. Most applications can ignore this, but it can be used to call command classes and send APDUs directly to the YubiKey during advanced scenarios.
KeyCollector	A callback that this class will call when it needs the YubiKey touched or a PIN verified.

Methods

Name	Description
AddPermissions(PinUvAuthTokenPermissions, string?)	Obtain a PinUvAuthToken that possesses the given permissions along with the current permissions. This is generally called early in a session to specify which set of permissions you expect to need for the operations you will be calling.
ChangePin()	Changes the PIN using the KeyCollector.
ClearAuthToken()	Reset the AuthToken, AuthTokenPermissions, and AuthTokenRelyingPartyId to null, so that any future operation that retrieves an AuthToken will not use the current values.
DeleteCredential(CredentialId)	This performs the deleteCredential subcommand of the authenticatorCredentialManagement command. It deletes the one credential represented by the given credentialId.
Dispose()
EnrollFingerprint(string?, int?)	Try to enroll a fingerprint. This will require several samples. See also the User's Manual entry on Bio Enrollment.
EnumerateBioEnrollments()	Get a list of all the bio enrollments on a YubiKey.
EnumerateCredentialsForRelyingParty(RelyingParty)	This performs the enumerateCredentials (Begin and GetNextCredential) subcommands of the authenticatorCredentialManagement command. It gets a list of all the credentials associated with a specified relying party.
EnumerateRelyingParties()	This performs the enumerateRPs (Begin and GetNextRP) subcommands of the authenticatorCredentialManagement command. It gets a list of all the relying parties represented in all the discoverable credentials on the YubiKey.
GetAssertions(GetAssertionParameters)	Gets one or more assertions for a particular relying party. Note You must supply a GetAssertionParameters object to this method, however, you do not need to set the PinUvAuthParam property, the SDK will do so.
GetAuthenticatorInfo()	Returns information about the authenticator (the YubiKey), including defaults and bounds for various fields and parameters used by FIDO2.
GetBioModality()	Get the biometric method the YubiKey uses. If the YubiKey is not a Bio series device, this will return "None".
GetCredentialMetadata()	This performs the getCredsMetadata subcommand of the authenticatorCredentialManagement command. It gets metadata for all the credentials on the YubiKey.
GetFingerprintSensorInfo()	Get the fingerprint sensor info, which is the "fingerprint kind" (touch or swipe), maximum capture count, and the maximum length, in bytes, of a template friendly name.
GetSerializedLargeBlobArray()	Get the current Serialized Large Blob Array out of the YubiKey. See also the User's Manual entry on large blobs.
MakeCredential(MakeCredentialParameters)	Creates a FIDO2 credential on the YubiKey given a parameters object.
SetAuthProtocol(PinUvAuthProtocolBase)	Overrides the default PIN/UV Auth protocol (which is determined by the YubiKey and SDK).
SetBioTemplateFriendlyName(ReadOnlyMemory<byte>, string)	Set the friendly name of a template. If the template already has a friendly name, this will replace it.
SetPin()	Sets the initial FIDO2 PIN using the KeyCollector. To change an existing PIN, use the ChangePin() function.
SetSerializedLargeBlobArray(SerializedLargeBlobArray)	Set the Serialized Large Blob Array in the YubiKey to contain the data in the input serializedLargeBlobArray. See also the User's Manual entry on large blobs.
TryChangePin()	Tries to change the PIN using the KeyCollector.
TryChangePin(ReadOnlyMemory<byte>, ReadOnlyMemory<byte>)	Tries to change the PIN.
TryEnableEnterpriseAttestation()	Try to set the YubiKey to enable enterprise attestation. If the YubiKey selected does not support enterprise attestation, this method will return false.
TryRemoveBioTemplate(ReadOnlyMemory<byte>)	Try to remove a template from a YubiKey. If there is no enrollment on the YubiKey for the given template ID, this method will do nothing and return true.
TrySetPin()	Tries to set the initial FIDO2 PIN using the KeyCollector. To change an existing PIN, use the TryChangePin() function.
TrySetPin(ReadOnlyMemory<byte>)	Tries to set the initial FIDO2 PIN. To change an existing PIN, use the TryChangePin() function.
TrySetPinConfig(int?, IReadOnlyList<string>?, bool?)	Perform the authenticatorConfig subcommand of setMinPINLength, which will set the minimum PIN length, and/or replace the list of relying parties that are allowed to see the minimum PIN length, and/or specify that the user must change the PIN.
TryToggleAlwaysUv()	Try to toggle the YubiKey's "alwaysUv" option (set to false if currently true or set to true if currently false. If the YubiKey selected does not support the "alwaysUv" option, this method will return false.
TryVerifyPin(PinUvAuthTokenPermissions?, string?)	Tries to verify the PIN against the YubiKey using the KeyCollector.
TryVerifyPin(ReadOnlyMemory<byte>, PinUvAuthTokenPermissions?, string?, out int?, out bool?)	Tries to verify the PIN against the YubiKey.
TryVerifyUv(PinUvAuthTokenPermissions, string?)	Tries to Perform a User Verification (UV) check on the YubiKey using the onboard biometric sensor. This method is only supported on YubiKey Bio Series devices. The permissions argument must be something other than None.
UpdateUserInfoForCredential(CredentialId, UserEntity)	This performs the updateUserInformation subcommand of the authenticatorCredentialManagement command. It replaces the user info in the credential represented by the given credentialId with the given user data.
VerifyPin(PinUvAuthTokenPermissions?, string?)	Verifies the PIN against the YubiKey using the KeyCollector.
VerifyUv(PinUvAuthTokenPermissions, string?)	Performs a User Verification (UV) check on the YubiKey using the onboard biometric sensor. This method is only supported on YubiKey Bio Series devices. Uses the KeyCollector for touch prompting.