FIDO2 - Fast Identity Online 2

FIDO2 keys in OpenSSH allow passwordless authentication using hardware security keys such as YubiKeys, SoloKeys, and NitroKeys. Hardware-backed authentication prevents phishing attacks.
These keys provide strong, phishing-resistant authentication by leveraging public-key cryptography and hardware-backed security.

Key Features of FIDO2 in OpenSSH:

• 🔐 Strong 2FA or Passwordless Authentication – No passwords to steal or phish.
• 💾 Hardware-backed Security – Private keys never leave the hardware device.
• 🛡️ Prevents Key Theft – Even if a machine is compromised, the FIDO2 key prevents unauthorized SSH logins.
• 📲 Works with USB, NFC, and biometric keys – Secure authentication for local and remote SSH sessions.

Enable FIDO2 in OpenSSH:

To use OpenSSH with Trezor via FIDO2, you need to have libfido2 (version 1.3.0 or above) and OpenSSH (version 8.2 or above) installed on your client.

OpenSSH needs to be compiled with the following option enabled: This enables built-in support for security keys in OpenSSH.

        --with-security-key-builtin
    

For the server, you just need to have OpenSSH (version 8.2 or above) installed.

To generate an ed25519-sk key, This creates a secure key that works with FIDO2 authentication. use the following command:

        ssh-keygen -t ed25519-sk