upstream: clarify role of FIDO tokens in multi-factor

authentictation; mostly from Pedro Martelletto OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
author: djm@openbsd.org <djm@openbsd.org> 2020-05-11 02:11:29 +0000
committer: Damien Miller <djm@mindrot.org> 2020-05-27 10:09:18 +1000
commit: 5a442cec92c0efd6fffb4af84bf99c70af248ef3 (patch)
tree: 0f165a28427b38ca88f9c9ec03565fd402d5dec6 /PROTOCOL.u2f
parent: ecb2c02d994b3e21994f31a70ff911667c262f1f (diff)
download: openssh-git-5a442cec92c0efd6fffb4af84bf99c70af248ef3.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index 917e669c..fd4325b3 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
 primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
 standard specifies additional key types, including one based on Ed25519.
 
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd’s perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication.  To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
+
+
 SSH U2F Key formats
 -------------------
author	djm@openbsd.org <djm@openbsd.org>	2020-05-11 02:11:29 +0000
committer	Damien Miller <djm@mindrot.org>	2020-05-27 10:09:18 +1000
commit	5a442cec92c0efd6fffb4af84bf99c70af248ef3 (patch)
tree	0f165a28427b38ca88f9c9ec03565fd402d5dec6 /PROTOCOL.u2f
parent	ecb2c02d994b3e21994f31a70ff911667c262f1f (diff)
download	openssh-git-5a442cec92c0efd6fffb4af84bf99c70af248ef3.tar.gz