@FrederikVA Thanks for sharing your findings!

martin wrote:

@mcpat: I'm sorry, but it's unlikely we will switch to putty-cac.

Seems like WinSCP supports PuTTY-CAC by default as it is just an adapted application that is installed under the same name in Windows, best to uninstall regular PuTTY first of course.

If you remove PuTTY from your system, reboot and install PuTTY-CAC it will work with WinSCP.
I am using FIDO with WinSCP and mRemoteNG already.
First you have to save your FIDO session in PuTTY-CAC (only have to do this one time)
You have to make sure to start Pageant before starting WinSCP, add your FIDO key, start WinSCP, try to login to your server and it will prompt for your key.

You can right click the tray icon of Pageant and ask it to remember your certs and keys.
Add a Pageant shortcut to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Now WinSCP and every application that uses PuTTY or Pageant as their backend will automatically prompt for your key when you try to connect to your server.

Screenshots in attachment

@mcpat: I'm sorry, but it's unlikely we will switch to putty-cac.

Can you please add fido2 because it's now fully working with putty-cac, see https://github.com/NoMoreFood/putty-cac

WinSCP uses SSH implementation from PuTTY project. Please ask them to implement it.
https://www.chiark.greenend.org.uk/~sgtatham/putty/

In OpenSSH 8.2, there is a new method to use physical key authentication via FIDO2, can you please add support for this?