---
keywords:
  - IT
  - Security
---
# Fido2
### features
- WebAuth
    - main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
- resident keys
- HMAC-secret extension 
    - symmetric key scoped to a credential
    - https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
## hardware
#### OpenSK
#### solo2
#### nitrokey
### code snippets
```[https://gist.github.com/alexgwolff/5d7f6802996cad2847c4a16995da410b]
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:

$ ssh-keygen -t ecdsa-sk -O resident

This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:

$ ssh-add -K

This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:

$ ssh-keygen -K

This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:

$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk

Finally, there’s one more feature to be excited about…
```
## references
https://2fa.directory/int/