Hardware Security Key KB

Field-tested runbooks and reference material for diagnosing, recovering, and re-provisioning enterprise smart card and FIDO2 security keys.

This knowledge base captures the kind of operational detail that doesn't make it into vendor docs — the diagnostic order, the gotchas, the moments where a single CLI flag means the difference between recovery and a full reprovision. Everything here is written from real incident work and sanitized for public reference.

Start here

Lockout diagnosis runbook

Step-by-step flow for diagnosing a "locked out" smart card / FIDO2 key when you don't yet know which applet is the problem.

CLI command reference

Every command in the vendor CLI tool, organized by what you can actually do — not by alphabetical order.

Applet architecture

How PIV, ACA, OATH, and FIDO coexist on the same physical token, and why a "PIN" means four different things depending on context.

A note on scope

These docs cover dual-interface smart card + FIDO2 tokens of the kind typically deployed in enterprise IAM rollouts as a replacement for legacy OTP fobs. Specific vendor names and proprietary command syntaxes have been generalized; the underlying concepts (ACA, PIV, OATH, FIDO2 CTAP) are open standards that apply across the category.

If you're rolling out keys at scale and finding the vendor docs read like an API reference rather than a help desk playbook — this is the gap I'm trying to fill.