1 files changed, 7 insertions, 0 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index 917e669cd..fd4325b3a 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
 primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
 standard specifies additional key types, including one based on Ed25519.
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd’s perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication.  To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
 SSH U2F Key formats
 -------------------

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 917e669cd..fd4325b3a 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
39	primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2	39	primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
40	standard specifies additional key types, including one based on Ed25519.	40	standard specifies additional key types, including one based on Ed25519.
41		41
		42	Use of U2F security keys does not automatically imply multi-factor
		43	authentication. From sshd’s perspective, a security key constitutes a
		44	single factor of authentication, even if protected by a PIN or biometric
		45	authentication. To enable multi-factor authentication in ssh, please
		46	refer to the AuthenticationMethods option in sshd_config(5).
		47
		48
42	SSH U2F Key formats	49	SSH U2F Key formats
43	-------------------	50	-------------------
44		51