Comment by immibis
10 days ago
Shouldn't you only touch your YubiKey when you've just done something that you know requires you to touch your YubiKey? Otherwise, you're just authenticating anything that asks, including the virus.
10 days ago
Shouldn't you only touch your YubiKey when you've just done something that you know requires you to touch your YubiKey? Otherwise, you're just authenticating anything that asks, including the virus.
The most common way I've seen this come up is for GPG signing of git commits. The flow is roughly: sign your first commit of the day -> you get a PIN popup, fill it in, and tap the Yubikey. Later in the day, you commit again -> your PIN is cached, so there's no reminder that you need to tap, other than the key LED blinking. If you don't clue in to what's going on, eventually it'll time out.
So this tool gives you the reminder to say "hey; you're doing a thing that's stalled waiting for your tap".
It reminds me of the way my car pops up on the display to say "hey, make sure to check the back seat" when I turn it off.