Download: Stable · Snapshot | Docs | Changes | Wishlist
OpenSSH supports the use of hardware tokens for two-factor
authentication using the FIDO2 protocol. At the SSH layer this is
achieved by adding extra public-key types called
email@example.com (plus their certified versions
in the usual way). The protocol is documented in the file
PROTOCOL.u2f in the OpenSSH source distribution.
Of course, it would be useful for PuTTY to support this too, for users who need to log in to servers that only accept these key types, or users who merely consider this system a security benefit.
This bug is listed at Taxing difficulty, because there are two things we don't have, and would need in order to implement it:
Firstly, we don't know how to go about accessing a hardware token of this kind on Windows. At the time of writing this, we don't even know what type of API would be involved: something built in to Windows, or something that involves loading a driver DLL from the manufacturer of the specific token, or something even stranger.
(On Unix, OpenSSH's own source code is available to function as example code. But an implementation of this system in only Unix PuTTY would be very strange.)
Secondly, more obviously, we'd need some test hardware, in order to get the system working in the first place. And we'd need to keep it, to check it was still working in future releases.