[wrxd]

I di the exact opposite and only use ssh keys store in secure enclaves. Each device has their own key I have no access to.

Not sure what the author does but I have three devices and keep them for many years. Adding a new ssh key to servers every few years isn’t that bad.

[webstrand]

I just use -sk variants with a FIDO authenticator. Being able to port the keys to another trusted machine (i.e. replacing a computer) if I need to is nice. And it's as secure as a secure enclave.

I do prefer to use a unique key for every (local, remote) pair though. It makes revocation more straightforward.

[OptionOfT]

My main blocker on using `-sk` keys is the fact that I can't get them to work on WSL on Windows.

[webstrand]

Oh, if I recall WSL is a Ubuntu VM running on top of Windows, so you'd need to configure USB forwarding for your security key.

Or run ssh-agent on the windows side and forward it into the VM?

[trueismywork]

Yes. This is the way.