You are right that the documentation options are quite confusing. This is simply because the focus of these companies is enterprise customers that buy hundreds or thousands of tokens, not consumers. For mobile use on Android, for some mystical reason, Google decided to include the U2F support through Google Authenticator and not Chrome directly. This threw me off for a bit, but since everything works well with mobile. The fact that you cannot extract the private key is by design, this is exactly why I have used Yubikey (Neo) and Feitian (ePass) tokens for SSH authentication. The private key should be generated on the device and never extracted, only that way you can be sure that the authentication done with that private key requires the physical token. Feitian tokens are by the way much cheaper, you can get one for 15€, and they are now also used by Google (Titan Security Key). Here are few articles which helped me get started with the SSH: https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ https://www.rcdevs.com/docs/howtos/epass/epass/