Interesting. I haven’t had this problem, because every time I need to touch the yubikey macOS pops a giant fucking dialog that requires 2-3 clicks before it lets me tap it.
I hate that dialog, but I found out that you can just tap the yubikey anyway (before clicking) and it'll skip the step of "no, I don't want to scan a QR code with my iPhone"
Shouldn't you only touch your YubiKey when you've just done something that you know requires you to touch your YubiKey? Otherwise, you're just authenticating anything that asks, including the virus.
The most common way I've seen this come up is for GPG signing of git commits. The flow is roughly: sign your first commit of the day -> you get a PIN popup, fill it in, and tap the Yubikey. Later in the day, you commit again -> your PIN is cached, so there's no reminder that you need to tap, other than the key LED blinking. If you don't clue in to what's going on, eventually it'll time out.
So this tool gives you the reminder to say "hey; you're doing a thing that's stalled waiting for your tap".
It reminds me of the way my car pops up on the display to say "hey, make sure to check the back seat" when I turn it off.
Interesting project, but I can't say I've ever wondered whether or not it's time to touch my Yubikey. Authenticating with a token is a very intentful process.
I've found that when I'm cloning submoduled private repos via YK-backed SSH key, I'll need to touch multiple times but there's not always text in the terminal notifying me to do so. Easy to miss the small flashing green light.
Well, if it's the same git server using the same SSH key for every repo, can't you still use SSH's ControlMaster to open the connection once and leave it open?
I have because I use it for a ton of stuff. Password manager, sudo locally, ssh logins, sudo remotely, openpgp decrypt etc.
It happens sometimes that I forget that's what it's waiting for. I'm no longer on Mac though. I have KDE. I don't always see the key flashing either because sometimes it's buried under the mess on my desk (I know...)
It's a bit annoying that yubikeys don't just trigger a hid event or something, as far as i understand the only way to tell is by looking for some obscure log entries.
Yubikey is an event based token. You tap it with explicit intent. If you aren't expecting to tap it, then the fail safe is you don't. It works that way by design.
You can't use a screwdriver handle as a hammer then complain it doesn't work to your expectations.
The concern is that if you don't know how many times you should be tapping the YubiKey when you clone a git repo, then an attacker could slip in its own signing requests and you would dutifully tap the YubiKey to authorize them. If you do know how many times to tap, do you still need the notification?
(It's true that if an attacker slipped in a request right before I was expecting to tap my YubiKey, I would tap it a second time to get my operation to succeed under the assumption that it didn't detect my touch the first time. But I would become suspicious if that kept happening.)
It's a bad design for that anyway. It should show me info about what I'm signing on a little display. That would also make it easier to see it needs a touch.
But yeah like someone said below, many actions like github pull would need it. I just want something that makes it easier to see it's waiting for me.
I'm looking at the source code but not seeing any notification popups etc. Where's the notification mechanism beyond writing to stdout? Am I misunderstanding the project's use case?
Awesome! I had a look at making something similar but stumbled into issues with looking at file updates with fnotify as it isn't supported on OSX. This is the answer to my prayers! Will definitely add some notification to use this so I get a visual/auditory signal to touch my Yubikey.
Portability. I use YubiKeys with desktop Macs, MacBooks, iPads, and iPhones. The alternative would be to create (Secure Enclave) keys in each of those devices and register each of those keys with each thing requiring authentication... which could take a while.
I guess the alternative is something like Passkeys synchronized via iCloud Keychain. Hopefully Apple is encrypting the Passkey key material within the Secure Enclave using each other Secure Enclave's public key. Otherwise it kind of defeats the whole purpose of having a Secure Enclave. (If I remove a YubiKey from a computer, I have some assurance that computer can't authenticate with YK-controlled accounts.)
We support both at work (touchid and yubikey) and often I have my laptop in clamshell mode, so in that sense it’s easier to use the yubikey. Probably not the best reason, but works for me!
We can think about additionally having a key signature appear when the yubikey is being touched. The longer you hold it the more sharps. Or sometimes flats.
sweet, I can't wait to download something that will scan my system's logs looking for specific security signals, and then take action when it sees certain ones!
/s
Joking aside, as others have said. I've never been shocked to learn something was waiting for my touch because it's always a thing I've initiated and am usually saying "cmon cmon" while waiting for the key to become ready _for_ me to touch it.
If you want to write a program that notifies my yubikey that a human is waiting for it to light up so they can touch it, then we'll be talking :)
Interesting. I haven’t had this problem, because every time I need to touch the yubikey macOS pops a giant fucking dialog that requires 2-3 clicks before it lets me tap it.
I hate that dialog, but I found out that you can just tap the yubikey anyway (before clicking) and it'll skip the step of "no, I don't want to scan a QR code with my iPhone"
Ah, thanks!
Shouldn't you only touch your YubiKey when you've just done something that you know requires you to touch your YubiKey? Otherwise, you're just authenticating anything that asks, including the virus.
The most common way I've seen this come up is for GPG signing of git commits. The flow is roughly: sign your first commit of the day -> you get a PIN popup, fill it in, and tap the Yubikey. Later in the day, you commit again -> your PIN is cached, so there's no reminder that you need to tap, other than the key LED blinking. If you don't clue in to what's going on, eventually it'll time out.
So this tool gives you the reminder to say "hey; you're doing a thing that's stalled waiting for your tap".
It reminds me of the way my car pops up on the display to say "hey, make sure to check the back seat" when I turn it off.
Interesting project, but I can't say I've ever wondered whether or not it's time to touch my Yubikey. Authenticating with a token is a very intentful process.
I've found that when I'm cloning submoduled private repos via YK-backed SSH key, I'll need to touch multiple times but there's not always text in the terminal notifying me to do so. Easy to miss the small flashing green light.
Is it possible to add it to ssh-agent once?
No, the idea behind yk-backed keys are that part of the secret lives on the yubikey and can't be extracted.
So you need to approve the usage of that secret by touching the yubikey.
Well, if it's the same git server using the same SSH key for every repo, can't you still use SSH's ControlMaster to open the connection once and leave it open?
Yeah could do. I do this for some SSH hosts but not all.
I have because I use it for a ton of stuff. Password manager, sudo locally, ssh logins, sudo remotely, openpgp decrypt etc.
It happens sometimes that I forget that's what it's waiting for. I'm no longer on Mac though. I have KDE. I don't always see the key flashing either because sometimes it's buried under the mess on my desk (I know...)
It's a bit annoying that yubikeys don't just trigger a hid event or something, as far as i understand the only way to tell is by looking for some obscure log entries.
Yubikey is an event based token. You tap it with explicit intent. If you aren't expecting to tap it, then the fail safe is you don't. It works that way by design.
You can't use a screwdriver handle as a hammer then complain it doesn't work to your expectations.
I just like to be notified when I need to tap something with explicit intent.
The concern is that if you don't know how many times you should be tapping the YubiKey when you clone a git repo, then an attacker could slip in its own signing requests and you would dutifully tap the YubiKey to authorize them. If you do know how many times to tap, do you still need the notification?
(It's true that if an attacker slipped in a request right before I was expecting to tap my YubiKey, I would tap it a second time to get my operation to succeed under the assumption that it didn't detect my touch the first time. But I would become suspicious if that kept happening.)
It's a bad design for that anyway. It should show me info about what I'm signing on a little display. That would also make it easier to see it needs a touch.
But yeah like someone said below, many actions like github pull would need it. I just want something that makes it easier to see it's waiting for me.
For Linux, see: https://github.com/maximbaz/yubikey-touch-detector
I'm looking at the source code but not seeing any notification popups etc. Where's the notification mechanism beyond writing to stdout? Am I misunderstanding the project's use case?
Awesome! I had a look at making something similar but stumbled into issues with looking at file updates with fnotify as it isn't supported on OSX. This is the answer to my prayers! Will definitely add some notification to use this so I get a visual/auditory signal to touch my Yubikey.
Thank you so much for making this
Question: why use YubiKey on a Mac with Secure Enclave?
Portability. I use YubiKeys with desktop Macs, MacBooks, iPads, and iPhones. The alternative would be to create (Secure Enclave) keys in each of those devices and register each of those keys with each thing requiring authentication... which could take a while.
I guess the alternative is something like Passkeys synchronized via iCloud Keychain. Hopefully Apple is encrypting the Passkey key material within the Secure Enclave using each other Secure Enclave's public key. Otherwise it kind of defeats the whole purpose of having a Secure Enclave. (If I remove a YubiKey from a computer, I have some assurance that computer can't authenticate with YK-controlled accounts.)
> Hopefully Apple is encrypting the Passkey key material
iCloud Keychain has always been e2e encrypted. If you lost and recovered your Apple password, you'd lose all your stored passwords.
We support both at work (touchid and yubikey) and often I have my laptop in clamshell mode, so in that sense it’s easier to use the yubikey. Probably not the best reason, but works for me!
I also do clamshell but I bought a Magic Keyboard with Touch ID.
I only wanted to say I appreciate the F-clef in your shell prompt:
Must be a bass shell user
We can think about additionally having a key signature appear when the yubikey is being touched. The longer you hold it the more sharps. Or sometimes flats.
PRs welcome ;)
sweet, I can't wait to download something that will scan my system's logs looking for specific security signals, and then take action when it sees certain ones!
/s
Joking aside, as others have said. I've never been shocked to learn something was waiting for my touch because it's always a thing I've initiated and am usually saying "cmon cmon" while waiting for the key to become ready _for_ me to touch it.
If you want to write a program that notifies my yubikey that a human is waiting for it to light up so they can touch it, then we'll be talking :)