Time to add FIDO2 support?

Hi hackers,

Would others be interested in adding support for FIDO2 as a new SASL
authentication mechanism?

As a macOS user, FIDO2 has become very convenient since the release of
macOS Tahoe in September 2025, that added built-in support for Secure
Enclave-backed SSH keys [1] [2]. The key pair is generated on the
Security Enclave and the private key cannot be exported, so even if your
computer is compromised, you can be quite confident that they at least
couldn't steal your private keys. When logging in, you have to touch
the TouchID for the Security Enclave to sign the challenge. I really
love how this scores very high on both security and convenience.

So, I think it would be nice if authenticating to PostgreSQL via psql
could be made equally secure and convenient, by simply reusing the same
OpenSSH hardware-backed FIDO2 SSH keys, copying the key string from
~/.ssh/authorized_keys, and register it with your PostgreSQL role.

This would of course also work with hardware keys, such as Yubikey.

Example:

ALTER ROLE joel ADD CREDENTIAL macos 'sk-ecdsa-sha2-nistp256(at)openssh(dot)com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBOG0NTN8AqegdlKrGTuddOFt0G4ANYzwkBtjSS0zCWCB1IuJisW41qBQ/JSGWjJp1B7OXD52AwfyB4sbUs1Kqg0AAAAEc3NoOg==';

Add "fido2" to pg_hba.conf:

hostssl all all 0.0.0.0/0 fido2
hostssl all all ::/0 fido2

You would need to load the resident keys from the FIDO2 authenticator,
once per bootup:

% ssh-add -K
Enter PIN for authenticator:
Resident identity added: ECDSA-SK SHA256:6/FvVcfzjLTt27bieSk5UpsPFYvGGkL5njORDz1JmM8

You would then specify the sk-provider when connecting via psql:

% PGSKPROVIDER=/usr/lib/ssh-keychain.dylib psql

The server sends a random challenge, the user is prompted to touch the
TouchID, the client's security key then signs it, and the server
verifies the signature.

I have some experience of FIDO2/WebAuthn in the application layer,
and would be willing to try to draft a patch on this, given there is
enough interest in this.

/Joel

[1] https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf
[2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041451.html