From 25ff03497c88f3882f8343c4bb33220d434a8f29 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@cvs.openbsd.org>
Date: Mon, 11 May 2020 02:11:30 +0000
Subject: clarify role of FIDO tokens in multi-factor authentictation; mostly
 from Pedro Martelletto

---
 usr.bin/ssh/PROTOCOL.u2f | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'usr.bin/ssh')

diff --git a/usr.bin/ssh/PROTOCOL.u2f b/usr.bin/ssh/PROTOCOL.u2f
index 917e669cdda..fd4325b3aba 100644
--- a/usr.bin/ssh/PROTOCOL.u2f
+++ b/usr.bin/ssh/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
 primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
 standard specifies additional key types, including one based on Ed25519.
 
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd’s perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication.  To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
+
+
 SSH U2F Key formats
 -------------------
 
-- 
cgit v1.2.3