What does "Store on Device" mean in the FIDO2 key generation form? What does "Store on Device" mean in the FIDO2 key generation form?

What does "Store on Device" mean in the FIDO2 key generation form?

Eugene Oskin Eugene Oskin

If you enable the 'Store on device' option, the SSH key you are generating will be saved on your FIDO2 device. This will allow you to establish connections, in Termius or OpenSSH, without providing the locally stored private key – by selecting the key during the connection process.

fido2-keygen-store-on-device-1.gif

Security

Using a key stored on the authenticator is generally less secure than using its local copy. An attacker will need to get access to both the authenticator and the locally stored key, if you're using a locally stored key, and just the authenticator, if you're using a key stored on an authenticator.

Additional options

Every key on the authenticator must have a unique set of attributes: key type, User ID, application. Any previously created key will be overriden by a key with the same set of attributes.

You can specify User ID in the keygen form, and the application will be automatically set to Termius (ssh:termius).

Why is it disabled for my key?

This option can be disabled if you haven't set a PIN code on your FIDO2 device. To learn more about pin codes and YubiKey, please, take a look at this article.

Note: You can find more info about storing keys on authenticator devices here. (See 'FIDO2 resident keys'.)

Add comment

Please sign in to leave a comment.