We’re leveraging ssh certificates which are backed by keys stored in a variety of hardware. For yubikeys we’re leveraging piv and the standard ssh tooling. We’re determining whether we’ll be able to use a pkcs11 implementation for TPMs and Secure Enclave or whether we’ll need to build a custom agent.