On this page
Loading...
Generate FIDO2 Key for SSH

Termius makes it easy to use hardware keys for SSH connections, providing a way to try cutting-edge security practices with just a few clicks. Start by generating the FIDO2 key on mobile and desktop.
ⓘ Hardware keys usually need to be set up before their first use. Some require a PIN code, while others use a biometric scanner and require you to enroll your fingerprint. Make sure you finish setting up your hardware key before following the steps below.
Desktop
iOS
Android
To generate a FIDO2 key, follow these steps:
Navigate to the
Keychain
Click
FIDO2
and chooseGenerate FIDO2 keys
in the context menu.Plug in your hardware key.
Select your hardware key on the device's list.
Choose the
Key Type
. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.Adjust optional configuration settings such as
Require User Presence
orRequire PIN code
andPassphrase
for better security. Learn about all configuration settings below.Click
Generate
.
Configuration Settings Explained
Require User Presence
- when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.
Require PIN code
- when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.
Store on device
- when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.
Passphrase
provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.
Desktop
iOS
Android
To generate a FIDO2 key, follow these steps:
Navigate to the
Keychain
Click
FIDO2
and chooseGenerate FIDO2 keys
in the context menu.Plug in your hardware key.
Select your hardware key on the device's list.
Choose the
Key Type
. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.Adjust optional configuration settings such as
Require User Presence
orRequire PIN code
andPassphrase
for better security. Learn about all configuration settings below.Click
Generate
.
Configuration Settings Explained
Require User Presence
- when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.
Require PIN code
- when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.
Store on device
- when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.
Passphrase
provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.
Desktop
iOS
Android
To generate a FIDO2 key, follow these steps:
Navigate to the
Keychain
Click
FIDO2
and chooseGenerate FIDO2 keys
in the context menu.Plug in your hardware key.
Select your hardware key on the device's list.
Choose the
Key Type
. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.Adjust optional configuration settings such as
Require User Presence
orRequire PIN code
andPassphrase
for better security. Learn about all configuration settings below.Click
Generate
.
Configuration Settings Explained
Require User Presence
- when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.
Require PIN code
- when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.
Store on device
- when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.
Passphrase
provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.
Desktop
iOS
Android
To generate a FIDO2 key, follow these steps:
Navigate to the
Keychain
Click
FIDO2
and chooseGenerate FIDO2 keys
in the context menu.Plug in your hardware key.
Select your hardware key on the device's list.
Choose the
Key Type
. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.Adjust optional configuration settings such as
Require User Presence
orRequire PIN code
andPassphrase
for better security. Learn about all configuration settings below.Click
Generate
.
Configuration Settings Explained
Require User Presence
- when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.
Require PIN code
- when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.
Store on device
- when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.
Passphrase
provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.