Before configurating an OpenSSH server or Client for FIDO2 credentials, the decision must be reached as whether to use Discoverable or Non-Discoverable credentials. Either option has different strengths, and the best option depends on the environment SSH is being used in.
Depending on the version of OpenSSH in use, the choice between Discoverable and non-Discoverable keys may not exist. Discoverable credentials require OpenSSH 8.3, while non-discoverable credentials only require OpenSSH 8.2p1. Non-Discoverable credentials will also require the private key to be stored within the ~/.ssh folder of the logged in user as well as the YubiKey. If using a publicly accesable endpoint, it is not recommened to use non-Discoverable credentials for this reason.
Benefits of Non-discoverable keys:
Benefits of Discoverable keys: