FIDO2 key without user presence check

Question

Is it possible to have a FIDO2 usb key which I can use as a second factor without requiring me to perform the user presence check? All the keys I've checked so far (YubiKey, Solo Keys, etc.) require me to tab them.

The intention is to use such a key in order to verify that the authentication process was really initiated from my computer and nothing more. That means, I do not care if my computer gets cracked and then some bad guy performs an authentication via my computer. However, the key would at least prohibit others to authenticate as me from other devices. Having a "tab-less" FIDO2 key would be really convenient (for example, I would like to use it for my SSH keys, however, tabbing the FIDO key every time I login is cumbersome).

Answer 1

All FIDO2 devices have silent authenticator mode(no UV and no UP). This is done by setting specific flags during the request to the authenticator. (UV=0 and UP=0. And need to check if GetInfo has UV and/or UP set to true(available)

However, browser don't have this option right now(as of NOV 2020). This is because there are security and privacy implications. There are some discussion about how this can be properly implemented, so in future websites might be able to use that.

Answer 2

The ssh-keygen command from OpenSSH (since 8.2p1) has the -O no-touch-required option that will not require tapping the key. Note that the SSH server has to be setup to allow this, e.g. by adding the no-touch-required to the respective authorized_keys entry.

Answer 3

This is against the FIDO standard and user presence or user verification is a mandatory feature of a certified CTAP product. you can use, open-source key and have your modified key to respond to user presence automatically.