Generate FIDO2 Key for SSH

To generate a FIDO2 key, follow these steps:

1. Navigate to the Keychain

2. Click FIDO2 and choose Generate FIDO2 keys in the context menu.

3. Plug in your hardware key.

4. Select your hardware key on the device's list.

5. Choose the Key Type. If you are going to connect with FIDO2 keys from mobile and desktop, please select the ECDSA key type. Termius on mobile doesn't support ED25519.

6. Adjust optional configuration settings such as Require User Presence or Require PIN code and Passphrase for better security. Learn about all configuration settings below.

7. Click Generate.

Configuration Settings Explained

Require User Presence - when enabled, Termius prompts you to touch the hardware key when logging in to a server. This option is used as 2FA to ensure that authentication doesn't happen without your intent.

Require PIN code - when enabled, Termius prompts you to enter the hardware key's PIN code. This option is available only when your hardware key has a PIN code set.

Store on device - when enabled, Termius creates a discoverable key and stores it on your hardware key. Each discoverable key needs a unique User ID; generating a FIDO2 key with the same ID again will overwrite the previous key. Discoverable keys can be imported from your hardware key to other devices. However, for SSH, this is less secure because if you lose the hardware key, an attacker can access all your FIDO2 keys.

Passphrase provides an additional layer of security. Termius will prompt you for the passphrase on every connection; toggle Save passphrase to avoid passphrase prompts.