On Fri, Jan 10, 2025 at 6:45 PM Christian Weisgerber <naddy@xxxxxxxxxxxx> wrote: > > Lukas Ribisch: > > > Based on my understanding of the FIDO protocol, user verification is > > independently requested during key creation and verification via > > server (i.e.relying party in FIDO/WebAuthN terminology) side flags, > > i.e. "user verification required" is not a per-key/credential, but > > rather a per-operation property. > > CTAP 2.1 has a Credential Protection feature which allows a newly > created credential to be mandatorily protected by the authenticator > through some form of user verification, e.g. PIN entry. This is > requested by ssh-keygen when generating a key with the verify-required > option, see sk_enroll() in sk-usbhid.c. > Ah, and it looks like ssh-keygen then errors out if this option is requested but not supported by a given authenticator. Thank you, appreciate it! Best, Lukas _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
