Hi, Based on my understanding of the FIDO protocol, user verification is independently requested during key creation and verification via server (i.e.relying party in FIDO/WebAuthN terminology) side flags, i.e. "user verification required" is not a per-key/credential, but rather a per-operation property. However, the `ssk-keygen` manpage states that: > verify-required > Indicate that this private key should require user verification for each signature. This seems dangerously misleading in that it seems to imply that this key creation choice somehow becomes an intrinsic property of a key, which I believe is not the case. (Achieving this seems theoretically possible by extending the public key format to include a private key signature over an options list which could then be validated server-side, but as far as I've seen in the code, this is currently not the case – sorry if I missed something.) As I understand it, the only way to actually enforce user presence verification would be to specify verify-required in either an authorized_keys file (on a per-key basis), or globally for a given server as a PubkeyAuthOptions option. If that understanding is correct, would it make sense to change the ssh-keygen man page accordingly? Best, Lukas _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
