To access the security key management interface, go to Settings
Then click on "Privacy and Security", and choose "Security"
And then click on "Manage Security Keys" option:
This will open the list of possible operations as shown below:
Creating a PIN
To create a PIN on your FIDO2 key, click on "Create a PIN" link:
When prompted, touch or press the button on your T2F2 security key. On the next windows, enter a numeric PIN code:
After clicking on Save, your FIDO2 key will be protected with the PIN code you defined here. Please note that this PIN code will be required to perform all the remaining operations described in this article, except resetting the key. After 3 wrong PIN attempts, the system will ask you to unplug and plug the key back in. If subsequent PIN attempts are invalid as well, the authenticator has to be reset (all keys are erased) to be used again.
Adding a fingerprint
FIDO2 keys with biometric support can be optionally be protected with fingerprints in addition to PIN codes. Click on "Fingerprints", then "Add" to enroll your first fingerprint:
To complete adding the fingerprint, the tool will ask you to keep touching the sensor until a checkbox icon is shown as below:
As you can add multiple fingerprints, there is a possibility to name them, so you can manage them later (i.e. delete or re-add a different finger etc.)
Click on "Continue" to finish adding the fingerprint.
This feature is available for security keys running FIDO2.1pre firmware version and allows managing user credentials separately. I.e. if you have enrolled the same key into two different Office 365 tenants (i.e. token2.ch and token2.fr) and want to remove only one, this is possible using "Sign-in Data" setting only.
Please note that the same operation is not possible with FIDO2.0 keys, you will have to either reset the key completely (which will delete all stored credentials) or remove the FIDO2 key enrollment at the server side (in Azure AD).
Reset your security key
To reset your security key, you can use this option. The operation will not require any PIN, but will remove all credentials and website associations stored on the device.