Prompt 3 introduces support for Yubikey-based authentication on both Mac and iOS.

PIV Authentication

When using PIV authentication Prompt supports either RSA or ECDSA keys stored in slot 9. In this configuration YubiKeys must be connected over USB on macOS, and on iPhones and iPads, over the lightning port.

Instructions for configuring a YubiKey for PIV authentication can be found here on the Yubico website.

iOS

On iOS, connections must be configured to use the YubiKey from within the Server settings. Create or edit an existing server, tap the key icon on the right side of the password field, and then select “YubiKey” from the list of keys.

If you attempt to connect to a Server configured to use the Yubikey before you’ve connected it to your device, you’ll be prompted to insert the key when initiating the connection.

In the case your Yubikey has been configured to require a PIN, or touch interaction, Prompt will display alerts for these items during the authentication process.

Please Note: At this time USB-C type iOS devices, such as the iPad Pro 3rd generation, have limited support when using the YubiKey 5Ci or another type of YubiKey with USB-C connector. iOS does not officially support all external accessories connected via USB-C on these devices. Should Apple decide to add this support in a future version of iPad OS, we will look into adding this to Prompt 3 as well.

Mac

On the Mac, Prompt supports reading the PKCS11Provider key from ~/.ssh/config, and supports OpenSC and YKCS11. If your PKCS11Provider entry ends with opensc-pkcs11.so or libykcs11.dylib, Prompt will load YubiKey support for the connection.

External SSH agents, like yubikey-agent can also be used with Prompt on macOS. These agents must be configured using theIdentityAgent key in ~/.ssh/config, as Mac apps cannot read the SSH_AUTH_SOCK environment variable.

You can also configure a Server to use a Yubikey directly from within Prompt just like you can on iOS. Create or edit an existing server, click the key icon on the right side of the password field, and then select “YubiKey” from the list of keys.

FIDO2 Authentication

When using FIDO2 authentication Prompt supports keys in either ECDSA-SK or Ed25519-SK formats. macOS currently requires a Yubikey to be connected via USB.

On iOS Prompt supports reading keys over NFC, in addition to physically connecting the key to your device via the lighting port. In the “Keys” section of Prompt’s Settings you can specify if Prompt should automatically use the lightning port, NFC reader, or ask each time a FIDO2 key is used for authentication.

In the case your FIDO2 key configuration requires the device PIN during authentication, Prompt will display an alert during the connection process.

Servers can be configured to use FIDO2 keys for authentication in the same manner as when using a PIV key. Tap the key icon in the password field, then select the desired key from the list.

FIDO2 Key Generation/Import

On macOS, Prompt supports generating FIDO2 keys in both ECDSA-SK and Ed25519-SK formats.

To generate a new key, open Preferences > Keys and connect your Yubikey to your Mac over USB. Next, click the “+” button and select the desired key type from the list. Enter a name for the new key, the existing device PIN, and any other configuration options as desired. After clicking the “Generate” button you will need to touch your Yubikey when prompted to complete the key generation process.

After the key has been successfully generated, the authentication token will be stored on your device and a private key file reference will be created in Prompt’s key list.

In the case you have already generated an ECDSA-SK or Ed25519-SK FIDO2 key you will only need to import the private key reference file. From the Keys section of Prompt’s settings, choose the option for “New Key”, then choose “Import” and select the key reference file.

Please Note: Generation of ECDSA-SK and Ed25519-SK keys are not currently supported in Prompt for iOS.