verify-required: ssh-keygen manpage ambiguity
Christian Weisgerber
naddy at mips.inka.de
Sat Jan 11 10:43:44 AEDT 2025
Lukas Ribisch:
> Based on my understanding of the FIDO protocol, user verification is
> independently requested during key creation and verification via
> server (i.e.relying party in FIDO/WebAuthN terminology) side flags,
> i.e. "user verification required" is not a per-key/credential, but
> rather a per-operation property.
CTAP 2.1 has a Credential Protection feature which allows a newly
created credential to be mandatorily protected by the authenticator
through some form of user verification, e.g. PIN entry. This is
requested by ssh-keygen when generating a key with the verify-required
option, see sk_enroll() in sk-usbhid.c.
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the openssh-unix-dev
mailing list