FIDO2 -- only for Linux?

%3CLINGO-SUB%20id%3D%22lingo-sub-3247157%22%20slang%3D%22en-US%22%3EFIDO2%20--%20only%20for%20Linux%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3247157%22%20slang%3D%22en-US%22%3E%3CP%3EI%20sure%20hope%20there's%20something%20on%20the%20roadmap%20to%20allow%20FIDO2%20devices%20like%20Yubikey%20to%20find%20hardware%20and%20OpenSSH%20(%26gt%3B8.2)%20support%20natively%20in%20Windows%2010%2C%2011%20and%20WSL2.%20So%20far%20it%20looks%20to%20be%20missing%20in%20all%203%2C%20and%20GIT%20BASH%20also%20won't%20use%20my%20Yubikey%205%20NFC%20device%20to%20authenticate%20to%20GitHub%2FLab%2C%20Windows%2C%20or%20AzureAD%20(non-premium).%20Anyone%20have%20a%20workaround%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3247157%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Standards%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3247274%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20--%20only%20for%20Linux%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3247274%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13736%22%20target%3D%22_blank%22%3E%40Alex%20Mondale%3C%2FA%3E.%20This%20is%20indeed%20a%20shortcoming%2C%20and%20seems%20to%20depend%20on%20adding%20integration%20with%20Windows%20Hello%20API%20into%20the%20FIDO2%20support%20used%20within%20OpenSSH.%20Some%20work%20was%20already%20done%20on%20this%20by%20various%20people%2C%20one%20example%20is%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftavrez%2Fopenssh-sk-winhello%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOpenSSH%20SK%20WinHello%3C%2FA%3E.%20I%20seem%20to%20recall%20reading%20somewhere%20that%20this%20is%20something%20that%20is%20actively%20being%20worked%20on%2C%20but%20can't%20find%20the%20link%20right%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I sure hope there's something on the roadmap to allow FIDO2 devices like Yubikey to find hardware and OpenSSH (>8.2) support natively in Windows 10, 11 and WSL2. So far it looks to be missing in all 3, and GIT BASH also won't use my Yubikey 5 NFC device to authenticate to GitHub/Lab, Windows, or AzureAD (non-premium). Anyone have a workaround?

1 Reply

Hello @Alex Mondale. This is indeed a shortcoming, and seems to depend on adding integration with Windows Hello API into the FIDO2 support used within OpenSSH. Some work was already done on this by various people, one example is OpenSSH SK WinHello. I seem to recall reading somewhere that this is something that is actively being worked on, but can't find the link right now.