upstream: clarify role of FIDO tokens in multi-factor

author djm@openbsd.org <djm@openbsd.org>

Mon, 11 May 2020 02:11:29 +0000 (02:11 +0000)

committer Damien Miller <djm@mindrot.org>

Wed, 27 May 2020 00:09:18 +0000 (10:09 +1000)
author djm@openbsd.org <djm@openbsd.org>
Mon, 11 May 2020 02:11:29 +0000 (02:11 +0000)
committer Damien Miller <djm@mindrot.org>
Wed, 27 May 2020 00:09:18 +0000 (10:09 +1000)
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f

index 917e669cddaa344409e793046b8f8a690820599b..fd4325b3aba2a799e1bc39403011b0bce43f3385 100644 (file)
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
  primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
  standard specifies additional key types, including one based on Ed25519.
  
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd’s perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication.  To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
+
+
  SSH U2F Key formats
  -------------------
author	djm@openbsd.org <djm@openbsd.org>
	Mon, 11 May 2020 02:11:29 +0000 (02:11 +0000)
committer	Damien Miller <djm@mindrot.org>
	Wed, 27 May 2020 00:09:18 +0000 (10:09 +1000)