From: Jason McIntyre <jmc@kerhand.co.uk>
Subject: Re: ssh-keygen(1) FIDO authentication supports fingerprints
To: tech@openbsd.org
Date: Tue, 26 Nov 2024 20:25:40 +0000

On Mon, Nov 25, 2024 at 05:19:19PM -0700, Zack Newman wrote:
> Currently ssh-keygen(1) states "PIN authentication is the only
> supported verification method"; however that is no longer true as I am
> able to use my fingerprint when using a YubiKey Bio. Not sure what
> would be the best way to "fix" this. I'm leaning towards just removing
> that sentence entirely; however adding "biometric"/"fingerprint" works
> too.
> 
> [zack@laptop ~]$ diff ssh-keygen.1 ssh-keygen.1.new
> 1133,1134d1132
> < Currently PIN authentication is the only supported verification method,
> < but other methods may be supported in the future.
> 

hi!

maybe someone who knows this stuff better can verify this:

normally, you can just touch the key and it works. but with
verify-required you have to enter a pin too.

with the bio version, isn;t it that it isn;t just a touch but the
actual fingerprint is read? and that you still then need a pin (if
you've set verify-required)?

i.e. the text is still correct.

or does it not work that way?

jmc