Lukas Ribisch: > Based on my understanding of the FIDO protocol, user verification is > independently requested during key creation and verification via > server (i.e.relying party in FIDO/WebAuthN terminology) side flags, > i.e. "user verification required" is not a per-key/credential, but > rather a per-operation property. CTAP 2.1 has a Credential Protection feature which allows a newly created credential to be mandatorily protected by the authenticator through some form of user verification, e.g. PIN entry. This is requested by ssh-keygen when generating a key with the verify-required option, see sk_enroll() in sk-usbhid.c. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
