On 2020/01/03 16:15, Fox, Kevin M wrote: > How does a u2f website then authenticate the same user, with the same > keyfob, on a different machine? If that actually works, then we should > be able to use the same mechanism. Maybe it doesn't, and some people > are going to be locked out of their account when their machine fails > and they have to go to another one. portability was one of the selling > points of u2f though I thought. Maybe I'll try and dig up the u2f spec > and see if there is any detail in it. With a website, the site can store information that is passed back via the client's browser to use as a key handle. As said in James Bottomley's message and djm's reply, doing similar in ssh is not possible without significantly changing the protocol: https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-January/038092.html _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
