OpenSSH adds support for FIDO/U2F security keys
OpenSSH, the internet’s most popular utility for managing remote servers, has added today support for the FIDO/U2F protocol.
This means that starting with OpenSSH 8.2, released today, users can configure a hardware security key when authenticating via SSH on a remote server.
After users log into a server by using their username& password, or a SSH authentication certificate, they’ll be required to present a FIDO/U2F-based USB, Bluetooth, or NFC-based security key as a second proof-of-identity.
Using a security key is currently considered one of the strongest multi-factor authentication (MFA) methods known today.
Using MFA, commonly referred to as 2FA (two-factor authentication), is the simplest way to prevent hackers from guessing or brute-forcing your SSH passwords and gaining control over your servers.
Last year, Microsoft said that the company’s customers who enabled MFA for their respective Microsoft accounts blocked 99.9% of account hacking attempts, showing just how difficult is to bypass a MFA solution today.
In a table it published in October, Microsoft ranked FIDO-based hardware security keys as the most secure MFA solution and the hardest to crack.
Instructions on setting your first hardware security keys with OpenSSH are included in the OpenSSH 8.2 release notes, here.