# SSH ID Security
SSH ID is an easy-to-use system for managing SSH passkeys. It generates and aggregates `device-bound` passkeys, including FIDO2 and biometric keys, so you can connect to servers without copying or sharing private keys.
## Device-bound
SSH ID passkeys are private keys generated and stored on your computer or phone. They never leave your device and cannot be copied or exported.
Only public keys are synced to your vault and published under your specified handle for you to easier update your `~/.ssh/authorized_keys` files.
## Biometric-protected
SSH ID works with Face ID, Touch ID, Windows Hello, and FIDO2. When using ECDSA-SK, every connection requires your biometric or presence confirmation.
{% hint style="warning" %}
### PIN code still matters
Across all major modern operating systems, the rule is the same: biometrics are a convenience layer, not a replacement for the master cryptographic key. Because of how hardware-level encryption works, none of these platforms allow you to disable the PIN, password, or pattern fallback. If a biometric sensor fails, gets damaged, or the device reboots, you must have a fallback to decrypt the data.
Therefore, to maximize security, **we recommend** to set up a custom alphanumeric password instead of a 4-digit or 6-digit PIN.
{% endhint %}
## Every passkey can be verified
Every SSH ID user has a unique CA key pair created by Termius on the device.
Every passkey generated for SSH ID is signed using your CA private key on the device.
Your SSH ID public page contains the CA public key as well as certificates for each key.
You can use this information to verify that each and every public key in the SSH ID was generated by Termius.
## Verification procedure
The verification process relies exclusively on the standard OpenSSH tooling (`ssh-keygen`).
### Prerequisites
* `user_cert.pub` - the user's public certificate
* `key.pub` - a device public key
* `key_cert.pub` - the certificate for that key
In future Termius versions, the above info can be obtained from `https://sshid.io/` or the SSH ID screen in the app.
### Verification
1. Verify user identity
1. Run `ssh-keygen -lvf user_cert.pub`
2. Compare the resulting SHA256 fingerprint or the `Randomart` visualization against the values displayed on the SSH.id page or in the Termius app
2. Verify the key was signed by the user
1. Run `ssh-keygen -L -f key_cert.pub` to extract the signer fingerprint from the key certificate
2. Locate the line: `Signing CA: SHA256:`
3. Obtain the fingerprint of the user certificate `ssh-keygen -lf user_cert.pub`
4. Compare SHA256 fingerprints. They should be identical
3. Verify that the Certificate belongs to the key
1. Run `ssh-keygen -lf key.pub`
2. Run `ssh-keygen -lf key_cert.pub`
3. Compare SHA256 fingerprints. They should be identical
These three steps confirm that the certificate was issued for that exact public key.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.termius.com/ssh-id-passkeys-for-ssh/ssh-id-security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.