What does "Store on Device" mean in FIDO2 key generation? What does "Store on Device" mean in FIDO2 key generation?

What does "Store on Device" mean in FIDO2 key generation?

eugene from Termius eugene from Termius

This article describes the "Store on Device" toggle in the FIDO2 keygen form.


Enabling this toggle stores the generated SSH key on your FIDO2 device as a discoverable credential (also known as a resident key). After generation, you can import such keys in another Termius app or use it in OpenSSH without providing a private key file.

UX and Security

With all other parameters equal, such keys are less secure than the keys not stored on the FIDO2 device. In Termius, stored on device keys and not stored ones have the same UX because stored on device keys are also added to the Termius Keychain, and if you enable the Sync keys and identities setting, they are synced to all your devices.

Additional Options

To discover keys on the device, each new stored on the device key must have a unique set of extra options: key type, User ID, and application. Any key with the same set of extra options will be overridden.

The User ID can to provided in the keygen form, and the application is set by the Termius app to ssh:termius.

Why is it disabled on my key?

The "Store on Device" can be disabled for your key because storing SSH keys on the FIDO device requires enabling a PIN code on your FIDO2 device. To learn more about FIDO2 Pin Codes on Yubikey, please follow this article.

Add comment

Please sign in to leave a comment.