Device Inventory
Device Inventory provides a centralized, real-time view of all registered FIDO authenticators in an organization. It enables administrators to quickly locate devices and perform the following actions:
View Device Inventory Details
Device Inventory provides two types of views to help administrators access device details efficiently:
- Summary View: Displays essential device details in a compact format for quick identification and action.
- Expanded View: Provides complete device information, including lifecycle and compliance details, for in-depth management.
Summary View
| Column | Description |
|---|---|
| Device | Displays the names of the FIDO authenticators (for example, SafeNet eToken Fusion NFC PIV Enterprise). |
| Device Mode | Indicates whether a device is Managed or Unmanaged. Managed devices are Thales FIDO 2.1 devices, which support setting an admin PIN and enterprise features. Some of the enterprise features include configuring a minimum PIN length, enforcing PIN changes, enforcing user verification, and whitelisting web services. |
| Policy | Displays the authentication policies assigned to devices. |
| User Name | Displays the usernames of users associated with the devices. |
| Actions: Revoke | Provides an option to revoke a device from use. |
Expanded View
In addition to the information available in the Summary view, the Expanded view provides more device-specific details that support device lifecycle management and compliance tracking.
To view these details, under Device Inventory, click on the expand arrow 
icon for the desired device.
| Column | Description |
|---|---|
| SERIAL NUMBER | Displays the unique serial number of the device. |
| VERSION | Displays the device version (for example, FIDO_2_1). |
| AAGUID | Provides Authenticator Attestation Globally Unique Identifier (AAGUID), a unique identifier for device identification. |
| STATUS | Indicates the current state of the device (REVOKED, ENROLLED, CONFIGURED). |
| IDENTITY PROVIDER | Displays name of the identity provider. |
| UPDATED | Displays the last updated date and time for the device record. |
Search Devices
The Search operation allows administrators to quickly locate devices across large inventories. Use the search bar to filter configured devices and view their details based on any of the following criteria:
-
Serial Number – To search for a device using its unique serial number.
-
Policy Name – To list all devices to which a specific policy is applied.
-
User Name – To list device(s) assigned to a specific user.
Tip
For best results, search using the complete value (for example, a complete Serial Number) . If the exact value is unavailable, begin with a partial serial Number, the policy name, or user name to narrow down the results.
Export Devices
The Export operation generates complete details (in a .csv file) of all the devices listed under Device Inventory. The exported file includes information from both the Summary view and the Expanded view for devices listed in the current inventory list.
To export devices' details, under Device Inventory, click Export.
Note
If required, use the Search operation to refine the device list and then click Export.
Caution
Exported files may contain sensitive information such as serial numbers and assignment details. Store and share the exported files in accordance with your organization’s data handling and security policies.
Revoke Devices
The Revoke operation permanently disables a device for authentication. Use Revoke when a device is lost, stolen, compromised, or no longer authorized. Revocation changes the device status to Revoked and prevents the device from being used for future authentication.
Perform the following steps to revoke a device:
-
Under Device Inventory, search for and locate the device that you want to revoke.
-
In the Actions column, click the three-dots
icon for the device, and then select Revoke.
-
The Revoke Device window is displayed. Click Revoke to confirm the operation.
After the device is successfully revoked, the STATUS of the device is changed to Revoked.
Warning
Revocation is a permanent action. Once a device is revoked, it is permanently disabled and cannot be used for authentication again.
To reuse the device, it needs to be re-enrolled for a user.
View Device PIN
Administrators can view a device PIN for administrative verification.
Caution
Use this option only in secure environments to prevent unauthorized PIN exposure.
Perform the following steps to view a device PIN:
-
Under Device Inventory, search for and locate the device for which you want to view the PIN.
-
In the Actions column, click the three-dots
icon for the device, and then select View PIN.
-
On the Device PIN window, click on the Show Password
icon to view the device PIN.
-
Click Close to close the window.
Unlock Devices
A FIDO device is locked after repeated incorrect PIN attempts. When the device is locked, the user cannot authenticate until it is successfully unlocked. Thales Authenticator Lifecycle Manager provides two secure options to unlock a device:
- Remote Unlock (Challenge–Response Method): The locked device stays with the end user, while the administrator assists remotely using Thales Authenticator Lifecycle Manager.
- Physical Unlock (Admin Mode): The administrator has physical access to the device and performs the unlock operation directly in Thales Authenticator Lifecycle Manager. This operation can be performed under FIDO Key Management.
Remote Unlock
The remote unlock option is used when the locked device remains with the end user. This method uses a secure challenge–response mechanism. The user generates a challenge in SafeNet FIDO Key Manager (FKM), and the administrator generates the corresponding response in Thales Authenticator Lifecycle Manager. The user enters the response to reset the PIN and unlock the device.
Before starting the remote unlock process, ensure to complete the following prerequisites:
- The end user must have SafeNet FIDO Key Manager (FKM) installed.
- The FIDO device remains connected throughout the process.
- The end user must have an authorized support channel (for example, Teams, Slack, ticketing system, etc.) to contact the Thales Authenticator Lifecycle Manager administrator.
User Steps
-
Insert the FIDO device, open SafeNet FIDO Key Manager (FKM), and click Unblock FIDO Key.
Caution
Do not remove the FIDO device at any point during the unlock process.
-
Click Generate Code to generate a challenge.
-
Click Copy to copy the generated code and share it with the Thales Authenticator Lifecycle Manager administrator.
After sharing the challenge, wait for the administrator to complete the corresponding unlock steps in Thales Authenticator Lifecycle Manager and provide you with a response code. Refer to the Administrator Steps section.
-
After receiving the response code from the administrator, enter it in the response code field and click Submit.
-
When prompted, enter a new PIN and re-enter it to confirm, then click Submit.
After the device is successfully unlocked, the success message is displayed.
Administrator Steps
-
Log in to Thales Authenticator Lifecycle Manager and go to the Inventory menu.
-
In the Device Inventory list, search for and locate the device to be unlocked.
-
In the Actions column, click the three-dots
icon and select Unlock a device remotely. 
-
Under Unlock device remotely, enter the challenge code provided by the user and click Submit.
-
Click the Copy to clipboard icon
to copy the generated response code. Share this code with the user and click Finish. 
Next steps for users: The user must continue from user step 4 to enter the response code and reset the device PIN.
