diff --git a/net/openssh/Config.in b/net/openssh/Config.in
new file mode 100644
index 000000000..3690ced2b
--- /dev/null
+++ b/net/openssh/Config.in
@@ -0,0 +1,12 @@
+if PACKAGE_openssh-server
+
+config OPENSSH_LIBFIDO2
+	bool
+	default y
+	prompt "Include libfido2 support in openssh-server"
+	help
+		OpenSSH version 8.2 added two new ssh authentication methods,
+		namely `ecdsa_sk` and `ed25519_sk`. These two methods make use
+		of hardware keys that implement the FIDO and FIDO2 protocols.
+		In order to use these two types, libfido2 is required.
+endif
diff --git a/net/openssh/Makefile b/net/openssh/Makefile
index 1782b02f6..a17f6ff0c 100644
--- a/net/openssh/Makefile
+++ b/net/openssh/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=8.4p1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -21,6 +21,10 @@ PKG_LICENSE_FILES:=LICENCE
 PKG_CPE_ID:=cpe:/a:openssh:openssh
 
 PKG_REMOVE_FILES:=
+PKG_CONFIG_DEPENDS := \
+	CONFIG_OPENSSH_LIBFIDO2
+
+PKG_BUILD_DEPENDS += OPENSSH_LIBFIDO2:libfido2
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -82,11 +86,15 @@ endef
 
 define Package/openssh-server
 	$(call Package/openssh/Default)
-	DEPENDS+= +openssh-keygen
+	DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2
 	TITLE+= server
 	USERID:=sshd=22:sshd=22
 endef
 
+define Package/openssh-server/config
+	source "$(SOURCE)/Config.in"
+endef
+
 define Package/openssh-server/description
 OpenSSH server.
 endef
@@ -164,8 +172,9 @@ CONFIGURE_ARGS += \
 	--without-bsd-auth \
 	--without-kerberos5 \
 	--with-stackprotect \
-	--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine
-
+	--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \
+	--with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin
+	
 ifeq ($(BUILD_VARIANT),with-pam)
 CONFIGURE_ARGS += \
 	--with-pam