On this page

Loading...

Generate FIDO2 Key for SSH

Generate FIDO2 key

Termius makes it easy to use hardware keys for SSH connections, providing a way to try cutting-edge security practices with just a few clicks. Start by generating the FIDO2 key on mobile and desktop.

ⓘ Hardware keys usually need to be set up before their first use. Some require a PIN code, while others use a biometric scanner and require you to enroll your fingerprint. Make sure you finish setting up your hardware key before following the steps below.

Desktop

iOS

Android

To generate a FIDO2 key, follow these steps:

  1. Navigate to the Keychain

  2. Click FIDO2 and choose Generate FIDO2 keys in the context menu.

  3. Plug in your hardware key.

  4. Select your hardware key on the device's list.

  5. Choose the Key Type. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.

  6. Adjust optional configuration settings such as Require User Presence or Require PIN code and Passphrase for better security. Learn about all configuration settings below.

  7. Click Generate.

Configuration Settings Explained

Require User Presence - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.

Require PIN code - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.

Store on device - when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.

Passphrase provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.

Desktop

iOS

Android

To generate a FIDO2 key, follow these steps:

  1. Navigate to the Keychain

  2. Click FIDO2 and choose Generate FIDO2 keys in the context menu.

  3. Plug in your hardware key.

  4. Select your hardware key on the device's list.

  5. Choose the Key Type. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.

  6. Adjust optional configuration settings such as Require User Presence or Require PIN code and Passphrase for better security. Learn about all configuration settings below.

  7. Click Generate.

Configuration Settings Explained

Require User Presence - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.

Require PIN code - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.

Store on device - when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.

Passphrase provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.

Desktop

iOS

Android

To generate a FIDO2 key, follow these steps:

  1. Navigate to the Keychain

  2. Click FIDO2 and choose Generate FIDO2 keys in the context menu.

  3. Plug in your hardware key.

  4. Select your hardware key on the device's list.

  5. Choose the Key Type. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.

  6. Adjust optional configuration settings such as Require User Presence or Require PIN code and Passphrase for better security. Learn about all configuration settings below.

  7. Click Generate.

Configuration Settings Explained

Require User Presence - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.

Require PIN code - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.

Store on device - when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.

Passphrase provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.

Desktop

iOS

Android

To generate a FIDO2 key, follow these steps:

  1. Navigate to the Keychain

  2. Click FIDO2 and choose Generate FIDO2 keys in the context menu.

  3. Plug in your hardware key.

  4. Select your hardware key on the device's list.

  5. Choose the Key Type. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.

  6. Adjust optional configuration settings such as Require User Presence or Require PIN code and Passphrase for better security. Learn about all configuration settings below.

  7. Click Generate.

Configuration Settings Explained

Require User Presence - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.

Require PIN code - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.

Store on device - when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.

Passphrase provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.

Download Termius on macOS, Windows, Linux, iOS, and Android for the best experience with hardware keys in the industry.

Download Termius on macOS, Windows, Linux, iOS, and Android for the best experience with hardware keys in the industry.

Download Termius on macOS, Windows, Linux, iOS, and Android for the best experience with hardware keys in the industry.

Download Termius on macOS, Windows, Linux, iOS, and Android for the best experience with hardware keys in the industry.

© 2025 Termius. All rights reserved.

Find Us

© 2025 Termius. All rights reserved.

Find Us

© 2025 Termius. All rights reserved.

© 2025 Termius. All rights reserved.

Find Us