diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 1315bf2cbe..a920f88406 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -72,6 +72,20 @@ HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
 PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
 {% endif %}
 
+{% if fido is vyos_defined %}
+{%     set configured_pubkey_options = [] %}
+{%     if fido.pin_required is vyos_defined %}
+{{ configured_pubkey_options.append('verify-required') }}
+{%     endif %}
+{%     if fido.touch_required is vyos_defined %}
+{{ configured_pubkey_options.append('touch-required') }}
+{%     endif %}
+{%     if configured_pubkey_options | length > 0 %}
+# Sets one or more public key authentication options.
+PubkeyAuthOptions {{ configured_pubkey_options | join(',') }}
+{%     endif %}
+{% endif %}
+
 {% if mac is vyos_defined %}
 # Specifies the available MAC (message authentication code) algorithms
 MACs {{ mac | join(',') }}
diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
index c659a7db7e..13449a259f 100644
--- a/interface-definitions/service_ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -61,6 +61,25 @@
               <valueless/>
             </properties>
           </leafNode>
+          <node name="fido">
+            <properties>
+              <help>FIDO2 SSH options</help>
+            </properties>
+            <children>
+              <leafNode name="pin-required">
+                <properties>
+                  <help>Require FIDO2 keys to attest that a user has been verified (e.g. via a PIN)</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="touch-required">
+                <properties>
+                  <help>Require FIDO2 keys to attest that a user is physically present</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <node name="dynamic-protection">
             <properties>
               <help>Allow dynamic protection</help>
diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index 6935464a74..51a717032d 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -495,5 +495,22 @@ def test_ssh_trusted_user_ca(self):
         self.assertNotIn('none', authorize_principals_file_config)
         self.assertFalse(os.path.exists(f'/home/{test_user}/.ssh/authorized_principals'))
 
+    def test_ssh_fido(self):
+        # Order does matter for this test because of how the template
+        # collects and maps the options.
+        opt_map = {
+            'pin-required': 'verify-required',
+            'touch-required': 'touch-required',
+        }
+        expected = 'PubkeyAuthOptions '
+        for k, v in opt_map.items():
+            self.cli_set(base_path + ['fido', k])
+            expected = f'{expected}{v},'
+        expected = expected[:-1]
+        self.cli_commit()
+        tmp_sshd_conf = read_file(SSHD_CONF)
+        self.assertIn(expected, tmp_sshd_conf)
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2, failfast=VyOSUnitTestSHIM.TestCase.debug_on())