> For the complete documentation index, see [llms.txt](https://docs.termius.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.termius.com/ssh-id-passkeys-for-ssh/ssh-id-security.md).
# SSH ID Security
SSH ID is an easy-to-use system for managing SSH passkeys. It generates and aggregates `device-bound` passkeys, including FIDO2 and biometric keys, so you can connect to servers without copying or sharing private keys.
## Device-bound
SSH ID passkeys are private keys generated and stored on your computer or phone. They never leave your device and cannot be copied or exported.
Only public keys are synced to your vault and published under your specified handle for you to easier update your `~/.ssh/authorized_keys` files.
## Biometric-protected
SSH ID works with Face ID, Touch ID, Windows Hello, and FIDO2. When using ECDSA-SK, every connection requires your biometric or presence confirmation.
{% hint style="warning" %}
### Use a strong system password on your device
Across all major modern operating systems, biometrics are a convenience layer, not a replacement for the master cryptographic key. Because of how hardware-level encryption works, none of these platforms allow you to disable the PIN, password, or pattern fallback. If a biometric sensor fails, gets damaged, or the device reboots, you must have a fallback to decrypt the data.
* **On Desktop:** The default system login password is already alphanumeric, so your fallback is as secure as you choose to make it
* **On Mobile:** It is highly recommended to configure a custom alphanumeric password rather than a standard 4-digit or 6-digit PIN to maximize fallback security
{% endhint %}
## Every passkey can be verified
Every SSH ID user has a unique CA key pair created by Termius on the device.
Every passkey generated for SSH ID is signed using your CA private key on the device.
Your SSH ID public page contains the CA public key as well as certificates for each key.
You can use this information to verify that each and every public key in the SSH ID was generated by Termius.
## Verification procedure
The verification process relies exclusively on the standard OpenSSH tooling (`ssh-keygen`).
### Prerequisites
* `user_cert.pub` - the user's public certificate
* `key.pub` - a device public key
* `key_cert.pub` - the certificate for that key
In future Termius versions, the above info can be obtained from `https://sshid.io/` or the SSH ID screen in the app.
### Verification
1. Verify user identity
1. Run `ssh-keygen -lvf user_cert.pub`
2. Compare the resulting SHA256 fingerprint or the `Randomart` visualization against the values displayed on the SSH.id page or in the Termius app
2. Verify the key was signed by the user
1. Run `ssh-keygen -L -f key_cert.pub` to extract the signer fingerprint from the key certificate
2. Locate the line: `Signing CA: SHA256:`
3. Obtain the fingerprint of the user certificate `ssh-keygen -lf user_cert.pub`
4. Compare SHA256 fingerprints. They should be identical
3. Verify that the Certificate belongs to the key
1. Run `ssh-keygen -lf key.pub`
2. Run `ssh-keygen -lf key_cert.pub`
3. Compare SHA256 fingerprints. They should be identical
These three steps confirm that the certificate was issued for that exact public key.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.termius.com/ssh-id-passkeys-for-ssh/ssh-id-security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.