From: Zack Newman Subject: Re: ssh-keygen(1) FIDO authentication supports fingerprints To: tech@openbsd.org Date: Tue, 26 Nov 2024 13:55:02 -0700 > or does it not work that way? It does not work that way. When I _generate_ a key, I'm required to both press the FIDO key and enter the PIN; however when I authenticate to the server, I only need to press it. If I touch it using a different finger than one that is registered, it errors and my YubiKey's remaining attempts counter is decremented. If I have 3 consecutive unsuccessful attempts (i.e., there are 0 remaining attempts), the key locks and I have to enter my PIN to unlock it. I can't even try to use a PIN. It's successful fingerprint or nothing. I generated the key via below ssh-keygen -t ed25519-sk -O resident -O verify-required I'm using a YubiKey C Bio - FIDO Edition (5.7.2). The server is configured to only allow publickey authentication using sk-ssh-ed25519@openssh.com with touch-required and verify-required PubkeyAuthOptions.