Fido2
features
- WebAuth
- main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
- resident keys
- HMAC-secret extension
hardware
OpenSK
solo2
nitrokey
code snippets
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:
$ ssh-keygen -t ecdsa-sk -O resident
This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
$ ssh-add -K
This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
$ ssh-keygen -K
This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:
$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk
Finally, there’s one more feature to be excited about…
references
https://2fa.directory/int/