Comment by agwa

The concern is that if you don't know how many times you should be tapping the YubiKey when you clone a git repo, then an attacker could slip in its own signing requests and you would dutifully tap the YubiKey to authorize them. If you do know how many times to tap, do you still need the notification?

(It's true that if an attacker slipped in a request right before I was expecting to tap my YubiKey, I would tap it a second time to get my operation to succeed under the assumption that it didn't detect my touch the first time. But I would become suspicious if that kept happening.)