---
title: SSH ID – Passkeys for SSH - Termius Blog
description: Discover the latest product news, updates and tips to help you optimize workflows.
published: "May 20, 2026, 5:38 AM UTC"
---

Product

[Security](../security)

[Pricing](../pricing)

[Enterprise](../enterprise)

[Log in](https://account.termius.com/login)

[Sign up](https://account.termius.com/signup)

##### May 20, 2026

##### 6 min read

## SSH ID – Passkeys for SSH

SSH was born in 1995 – the same year the first Nokia candy-bar phones hit shelves, JavaScript was invented, and most people were still dialing into the internet. SSH was designed for a world where a single user has a single device and a single key to connect to a server rack in the same room.

Thirty years later, people connect from multiple devices to manage hundreds of servers scattered across different locations and clouds. Sysadmins, DevOps, and network engineers still use SSH every day to keep everything running. But SSH itself hasn't significantly changed.

And that's where the pain begins.

One of the most secure ways to authenticate over SSH is to issue a unique device-bound key for every user and device, and add the public key to `~/.ssh/authorized_keys` on every server. It works fine at a small scale. With hundreds of servers, dozens of team members, and multiple devices each, it becomes a nightmare.

Most people and teams take the easier route, compromising security. For convenience, they reuse the same key or password across devices and members. Often, sharing secrets via unprotected channels, such as messengers and email, and leaving local copies unsupervised, increases the risk of a leak.

For more control and security, some turn to enterprise-grade solutions such as PAMs, bastion hosts, or SSH certificates. These come with a high cost: complex integration, ongoing maintenance, and steep licensing fees. Security improves, but simplicity disappears.

At Termius, we've spent years trying to make SSH authentication both secure and simple. First, we built an encrypted cloud vault to securely sync and share credentials – removing the need to store local copies across many devices and reducing the risk of leakage. Then we added device-bound FIDO2 keys and unextractable biometric keys protected by Face ID, Touch ID, and Windows Hello. But managing those keys across multiple devices was still painful.

Until now.

## Meet SSH ID

SSH ID is a passkey for SSH. This is a new tool inside Termius that combines the security of device-bound keys with the simplicity of sync. 

SSH ID generates and stores a unique set of device-bound passkeys on each of your devices. Their public keys stay up to date and available at your unique public handle: `https://sshid.io/<your_handle>`.

All you need to do is update `~/.ssh/authorized_keys` with this command:\
`curl https://sshid.io/<your_handle> >> ~/.ssh/authorized_keys`

## How it works

SSH ID passkeys are unextractable and device-bound – they cannot be exported or copied.

For each device, Termius generates keys in different types (ECDSA-SK, ED25519, ECDSA, and RSA) to ensure compatibility across your entire infrastructure.

### ECDSA-SK

The most secure option. ECDSA-SK keys are generated and stored inside a dedicated hardware security chip – either your device's built-in secure hardware or an external FIDO2 security key like a YubiKey. Every connection requires presence or biometric confirmation (such as Face ID, Touch ID, or Windows Hello). Even if your device is stolen or compromised, your connections stay protected.

You can add as many FIDO2 hardware keys to your SSH ID as you want – keep one on your keychain, one in your office drawer, one locked in a safe. This lets you connect with any of these FIDO2 keys on devices without built-in biometric hardware.

>

ECDSA-SK requires OpenSSH 8.2+ (2020).

### ED25519 and ECDSA

A good fit for hosts where presence confirmation isn't required or isn't supported. ED25519 is the modern default – fast and widely supported. ECDSA is a solid alternative for environments where ED25519 isn't available.

>

ED25519 requires OpenSSH 6.5+ (2014)

>

ECDSA requires OpenSSH 5.7+ (2011)

### RSA 

Can be used for legacy devices that don't support modern key types.

>

RSA requires OpenSSH 1.x (1995).

## What makes it secure

SSH ID is built around a few non-negotiable security principles:

**Private keys never leave your device. \
**Private keys are generated securely on your device, cannot be exported, and are never synced to the Termius cloud. Only public keys are synced, ensuring authentication is tied to your devices. 

**Every public key can be verified. \
**Each key is signed by your unique CA key. Anyone can verify that public keys in your SSH ID profile were genuinely generated by Termius on your devices. (add more info if I remove from the Meet SSH ID)

**Biometric-protected. \
**When using ECDSA-SK keys, every SSH connection requires a biometric or presence confirmation. Even if your device is stolen or compromised, your servers remain protected.

**Built on SSH standards. \
**SSH ID is based on SSH and Linux standards. It uses the native `~/.ssh/authorized_keys` files, so you don't need extra agents or daemons.

## How it works for teams

SSH ID isn't just a personal tool – it's a powerful access management mechanism for teams. Anyone managing server access can collect SSH ID profiles from all team members and instantly get their up-to-date public keys to update authorized\_keys file.

Since SSH ID works on the standard SSH mechanism authorized\_keys file, it enables easy integration of SSH ID with tools like Ansible, Puppet, or JumpCloud to automate key deployment across large fleets.

## Getting started

Setting up SSH ID takes less than a minute:
1. [Download Termius](https://termius.com/download) on all your devices
2. **Open SSH ID** in **Settings** and follow the guided setup to generate passkeys\
3. Add your public keys to your servers by running:\
`curl https://sshid.io/<your_handle> >> ~/.ssh/authorized_keys`\
4. **Assign SSH ID** to your hosts in Termius and connect with one click

That's all it takes to go from juggling dozens of keys to a single, secure, biometric-protected identity that works everywhere.

## The bottom line

SSH ID doesn't ask you to compromise between security and convenience. Your private keys stay on your devices, protected by your device's hardware. Your public identity is always available, always up to date, and always one curl command away from granting access anywhere.

This is SSH authentication done right – finally.\


[Create your SSH ID with Termius →](https://sshid.io/)

##### [Return to Blog](../blog)

On this page

title

##### Share article

## Read more

[May 11, 2026 8 tips for using AI agents on mobile with Termius Learn tips to improve your experience on your phone. Set it up once and your phone stops being a fallback and starts being a workstation.](./8-tips-for-using-ai-agents-on-mobile-in-termius)

[Apr 16, 2026 Post-quantum cryptography Termius has implemented post-quantum cryptography, ensuring your SSH sessions remain protected not just against today's threats but also against future attacks.](./post-quantum-cryptography)

[Jan 27, 2026 Workspaces: Focus Without Losing Context Workspaces bring structure to terminal work. Group related sessions, stay focused, and keep full visibility across hosts without juggling tabs.](./workspaces-focus-without-losing-context)

SSH client for

[iPad](../free-ssh-client-for-ipad)

[iPhone](../free-ssh-client-for-iphone)

[Android](../free-ssh-client-for-android)

[macOS](../free-ssh-client-for-mac-os)

[Windows](../free-ssh-client-for-windows)

[Linux](../free-ssh-client-for-linux)

Product

[Download](https://termius.com/download)

[Gloria Ops](https://gloriaops.com)↗

[SSH.id Passkeys](https://sshid.io/)↗

[Vault](../vault)

Resources

[Education](../education)

[For Open Source](../opensource)

[Beta Program 🚀](../beta-program)

[Documentation](https://docs.termius.com/)

[Customer Support](https://support.termius.com/?_gl=1*1eep0vf*_ga*MTc4OTA4NjUwLjE2NzkyNjExMDc.*_ga_ZPQLW2Q816*MTY5MTQ2MTM4NC40NC4xLjE2OTE0NjE3ODQuMC4wLjA.)

[Feature Requests](https://ideas.termius.com/tabs/1-under-consideration?_gl=1*1eep0vf*_ga*MTc4OTA4NjUwLjE2NzkyNjExMDc.*_ga_ZPQLW2Q816*MTY5MTQ2MTM4NC40NC4xLjE2OTE0NjE3ODQuMC4wLjA.)

Security

[System Status](https://status.termius.com/?_gl=1*1eep0vf*_ga*MTc4OTA4NjUwLjE2NzkyNjExMDc.*_ga_ZPQLW2Q816*MTY5MTQ2MTM4NC40NC4xLjE2OTE0NjE3ODQuMC4wLjA.)

[Trust center](https://security.termius.com/)

[Security](../security)

[Changelog](https://termi.us/desktop-changelog)

Company

[About Us](../about)

[Blog](../blog)

[Careers](../careers)

[Brand Resources](../brand-resources)

Ⓒ 2026 Termius Corporation. All rights reserved

[Terms of Use](../terms-of-use)

[Privacy Policy](../privacy-policy)

[Responsible Disclosure](../responsible-disclosure)