Using FIDO2 for SSH authentication Using FIDO2 for SSH authentication

Using FIDO2 for SSH authentication

Eugene Oskin Eugene Oskin

Desktop Termius app from 7.41.2 version and the iOS Termius app from 4.13.9 version allow authenticating using ed25519-sk and ecdsa-sk SSH keys, that is using FIDO2 hardware authenticators such as YubiKey, Solo, or OnlyKey.


With this type of authentication, SSH keys are generated by a hardware device. When connecting using such a hardware-generated key, you'll be asked to touch the device and / or provide PIN. Some authenticators allow you to store a copy of the key on the authenticator itself.

Any FIDO2 keys that are stored locally need be imported to Termius for you to be able to use them and then attached to hosts. A key stored on the authenticator can be imported if desired. You may want to import it to avoid selecting the key during a connection or for security reasons.

Starting with 7.44.0, Desktop Termius allows generating FIDO2 keys.

Termius supports only the FIDO 2.0 (CTAP 2) protocol.

Support for FIDO2 keys has been tested on a limited number of devices, so, if you're facing connection issues, please, send us an email including the name of your authenticator.

Important: This type of authentication requires OpenSSH 8.2 or higher to be installed on the server.

Note: You can find more info about FIDO2-based authentication here. (See 'FIDO2 resident keys'.)

Note: FIDO2-based authentication is not available in the Starter (free) plan.


Make sure you grant Termius access to USB, when / if the OS asks that you do so.

Linux requires adding a udev rule for you to be able to access FIDO devices, similar to this one:

#udev rule for allowing HID access to Yubico devices for FIDO support.
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
  MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050"

On Windows, to be able to import a key stored on an authenticator or connect using one you must be running Termius as administrator. It may also be necessary to install authenticator device drivers. Please, search for the drivers on the vendor's website, e.g. Yubikey smart card driver.

On iPhone with NFC, you need to have a FIDO2 device with NFC or Yubikey 5Ci to use lightning.

On iPad with NFC, you need to have a FIDO2 device with NFC. USB-C is not supported at the moment.

Import a FIDO2 key

FIDO2 keys stored locally can be imported in the same way other keys are imported.

To import a FIDO2 key from an authenticator:

  1. Plug in your authenticator device.
  2. In Preferences, choose Keychain.
  3. Click + New hardware key, then Import FIDO2 key.
  4. Select a FIDO2 authenticator from the list.
  5. Enter the PIN code.
  6. (Optionally) in the Set a label... field, provide a name for the key.
  7. Select the key(s) you'd like to import.
  8. Click Continue.

To use an imported FIDO2 key, you'll need to link it with your Termius host in its properties.

Generate a FIDO2 key

When generating a key, you'll be asked if you want to upload the key to the authenticator. If you choose to do so, two copies of the key will be created: one will be stored on the device, and the second will be saved in Termius.

Note: YubiKey with firmware below 5.2.3 are not compatible with ed25519-sk keys.

To generate a FIDO2 key in Termius:

  1. Plug in the authenticator.
  2. In Preferences, choose Keychain, then + New hardware key and Generate FIDO2 key.
  3. (Optionally) in the Set a label... field, provide a name for the key.
  4. Select the type of key you want to generate: ecdsa-sk or ed25519-sk.
  5. To disable presence verification (via touch), uncheck Require user presence. It is possible to disable presence verification only for locally stored keys.
  6. To enable PIN verification, check Require PIN code.
  7. To place the key on your device, check Store on device.

    Note: This option can be unavailable if you haven't set a PIN code on your FIDO2 device. To learn more about pin codes and YubiKey, please, take a look at this article.

  8. If you're using the 'Store on device' option, provide a user id. It will appear next to the key in the list of keys that will be displayed, when you are connecting to a server.

    Important: It is not possible to store two keys with the same user id and of the same key type on one device. Any previously created duplicate will be rewritten.

  9. Specify the other parameters and click Generate.

Connect using a FIDO2 key on Desktop and Mobile

If you've imported your FIDO2 key, attach the key to the host you want to connect to. During the connection, you may be asked to touch the device and provide PIN, depending on the parameters of the key.

Connecting using a key stored on the authenticator is possible only if no other methods except public key authentication is allowed on the server. If you're going to connect using a key stored on your authenticator, make sure no key is attached to the host (entry) in question and then connect.



To confirm user presence, please bring your NFC key to your iOS device or insert and touch your Yubikey 5Ci.


FIDO2-based keys are not yet supported on Android. Please vote for this feature to subscribe to update.

Add comment

Please sign in to leave a comment.



  • Jimmy2500

    It is possible to specify a different FIDO key for a remote host based on the Termius device being used? E.g. Different Yubikey for Termius on Mac, and Termius on Windows? 

    Right now the the only way to achieve this is to create multiple host entries (for the same remote host) for each Termius device, specifying a different identity for each. 

  • Anonymous

    When it will be available to Android users? There's already support for resident keys in Android.