| HN Mirror

FIDO-based SSH requires support from the server, because it's a new authentication method. So this is great in an environment where you control the servers, and some day it'll be pretty great for almost everybody, but today e.g. you can't use FIDO for GitHub. Whereas the older methods did not have this dependency.

On the other hand, one really nice thing is that FIDO lets you force employees to actually use organisation mandated security if that's appropriate. There's no way to force the remote SSH client not to store that RSA private key unencrypted, for example, even if it is company policy to use a 16 character passphrase; but if you issue every employee a Yubikey (picking one famous brand) the FIDO authentication step can insist that a genuine Yubikey was used, that the Yubikey says a PIN was entered and user presence confirmed. The OpenSSH design passes the digitally signed assurance from the Yubikey to the remote server for assessment, so you can't just comment out a few lines of SSH client code to bypass it.

Should you actually do that? Probably not, but it's an option you didn't have before. Certainly if your key people already swear they obey a policy requiring this there's no harm in enforcing it, is there?