diff --git a/CHANGES b/CHANGES
index 457cb52..212c170 100644
--- a/CHANGES
+++ b/CHANGES
@@ -15,6 +15,9 @@ Features and Changes:
 - Add option for requiring both password and pubkey (-t)
   Patch from Jackkal
 
+  - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA 
+  and DROPBEAR_SK_ED25519 options.
+
 - Add 'permitopen' option for authorized_keys to restrict forwarded ports
   Patch from Tuomas Haikarainen
 
diff --git a/default_options.h b/default_options.h
index 1b5aede..5132775 100644
--- a/default_options.h
+++ b/default_options.h
@@ -154,10 +154,11 @@ IMPORTANT: Some options will require "make clean" after changes */
  * See: ED25519_PRIV_FILENAME  */
 #define DROPBEAR_ED25519 1
 
-/* SK_ECDSA/SK_ED25519 allows u2f security keys for public key auth.
+/* Allow U2F security keys for public key auth, with
+ * sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com keys.
+ * The corresponding DROPBEAR_ECDSA or DROPBEAR_ED25519 also needs to be set.
  * This is currently server-only. */
-#define DROPBEAR_SK_ECDSA 1
-#define DROPBEAR_SK_ED25519 1
+#define DROPBEAR_SK_KEYS 1
 
 /* RSA must be >=1024 */
 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
diff --git a/sysoptions.h b/sysoptions.h
index f52aa70..462e887 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -183,6 +183,13 @@
 
 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
 
+#ifndef DROPBEAR_SK_ECDSA
+#define DROPBEAR_SK_ECDSA DROPBEAR_SK_KEYS
+#endif
+#ifndef DROPBEAR_SK_ED25519
+#define DROPBEAR_SK_ED25519 DROPBEAR_SK_KEYS
+#endif
+
 /* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */
 #define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \
 		&& ((DROPBEAR_CLI_PUBKEY_AUTH) || (DROPBEAR_SVR_PUBKEY_AUTH)))