> iTerm2 has a feature called Triggers, which can execute actions based on text matching a regex in your terminal. So we could write a regex to listen for “Yubikey for” and have it run the same script, eliminating the need to press buttons altogether.<p>Don't do this.<p>Actually seriously, don't do most of this.<p>The fact that your computer <i>cannot</i> induce the yubikey to provide its key material (or evidence of the key material) is where it gets "security" from in the first place. As soon as someone can convince your computer to do <i>something</i> there's an increased chance they can get it to do something else.<p>Some suggestions:<p>- Wire the F14 key up separately to "the finger" (and not to wifi)<p>- Use a yubikey simulator[1]. If your sysadmin won't trust you with the key material inside the yubikey so you can use a simulator, they definitely won't trust yourself to emulate the simulator with the finger either.<p>[1]: <a href="https://github.com/sstelfox/yubikey-simulator" rel="nofollow">https://github.com/sstelfox/yubikey-simulator</a>
> If you work in tech, you probably have a YubiKey<p>That is a gross overstatement. As someone who works for a pre-IPO startup and been in the bay in various startups for a number of years, I'd hazard that only 5-10% of the engineers had YubiKey, let alone "work in tech".<p>Whether or not we _should_ is another question.
Adaprox has various "finger bots" for those who don't want to build their own: <a href="https://www.adaprox.io/" rel="nofollow">https://www.adaprox.io/</a>
This is some cowboy engineering and i love it. totally shooting from the hip, but still finishing up with a nice long-form post.
like other comments mentioned this is super impractical but that's not the point. building a robot finger to push a button at the push of a button is a hilarious saturday afternoon project<p>good job bert!
Ways they could solve their problem without significantly compromising security:<p>1. Plug the yubikey into the monitor<p>2. Use an extension cord (as they did)<p>3. Switch back to an otp app (eg Google authenticator or Duo)<p>4. Credit to conk [1] or agl [2]: extend the conductivity via conductive foil or other material, connect to ground to simulate touch<p>Ways you can improve convenience while reducing security:<p>1. This!<p>2. Disable 2fa (credit to another commenter)<p>If 2fa is required by your company, circumventing it by eliminating the security benefit should be severely reprimanded.<p>Why not build a different shitty robot?<p>[1] <a href="https://news.ycombinator.com/item?id=24664842" rel="nofollow">https://news.ycombinator.com/item?id=24664842</a><p>[2] <a href="https://news.ycombinator.com/item?id=24664881" rel="nofollow">https://news.ycombinator.com/item?id=24664881</a>
When I was at Google around 2012, the company had a custom 2FA dongle that detected motion rather than touch. An engineer who had remotely ssh'd into their workstation needed to 2FA and realized that they could send an SMS to their phone, cause the phone to vibrate, and trigger a false 2FA event on the dongle. (Or maybe they got their computer to play a loud noise. I forgot the specific details.)<p>Similar to this fake finger, it was a cool hack at the time but defeated the purpose of 2FA.
Urban myth: somebody taped a hotdog to the CD drive tray of their workstation, and put the yubikey right in front of it. Then, whenever they needed to touch the YK while not physically in front of the workstation, a quick `eject /dev/cdrom` did the trick ;)
Why not just keep the wire attached to the Yubi-key, but leave it electrically floating (high-impedance state) and have the board ground it whenever it needs to be pressed? No need for mechanical triggers...
Tangentially:<p>> <i>And if you work on a political campaign or as a journalist, you should definitely have one (or something similar).</i><p>It's tough, tptacek & idlewords have been facing an uphill battle with that:<p><a href="https://idlewords.com/2019/05/what_i_learned_trying_to_secure_congressional_campaigns.htm" rel="nofollow">https://idlewords.com/2019/05/what_i_learned_trying_to_secur...</a>
Google won’t let you setup 2FA without adding a phone number which kind of sets you up for sun swapping attack by design...<p>My biggest beef is lack of NFC in MacBook. I wan’t a key in card factor because who the hell has keys these days. Maybe add hardware button on the card. It would work on on mobile and laptops. Banks could use their own credit cards for logging in...
This reminds of back in the olden days (when SMS MFA was still an "OK" thing to do) we needed shared MFA for IT Admins of various SaaS apps. We setup a dedicated phone, duct taped to the wall, to get these codes and push them to hipchat (via Tasker & NodeJS).<p>One of my team members did a write up about it years ago: <a href="https://obviate.io/2015/04/16/making-of-the-mfa-phone-because-twilio-is-too-easy/" rel="nofollow">https://obviate.io/2015/04/16/making-of-the-mfa-phone-becaus...</a>
This reminds me of something that happened at a company I worked at maybe ten years ago. An employee was fired for setting up a webcam that pointed at his 2FA key generator so he could log in remotely without having to carry it around. Hacker mentality, but not in a way that won him the respect of the security team.
It seems like you don't understand the main advantage of these types of security tokens.<p>Rogue trigger of a security token isn't really an issue when using the recommended U2F standard.<p>U2F uses the domain as part of the challenge-response in U2F so that phishing\spoofing attacks can be defeated.
A slight aside, but so many of these keys seem to have the touch point / button applying force perpendicular to the direction of insertion, I wonder if there is any long-term potential to cause damage to the USB interface.
The obvious next step is to plug this into a server and control it through USB over IP. Call it "remote, centrally controlled 2FA" and your manager will love it!
The final thoughts at the end of the article are amazing:<p>"Why not just press the button?" ... "Don’t you get it? This button BAD, but this button GOOD. Me want to press GOOD button."
Surely an authenticator app like Authy is more secure than a hardware key like Yubikey.<p>To access my account with the former an attacker needs my phone and me to log in to it for them.<p>To access my account with the latter an attacker just needs to hardware key.<p>I usually have my phone on me whereas I don't want to have to keep track of a tiny USB device and am likely to just leave it plugged into my laptop. My laptop is the most valuable item in my home and so most likely to be stolen, along with the attached key.
Nice build but over engineered. You could achieve the same result by taping a piece of aluminum foil, or maybe even a wire to the capacitive sensor and connecting it to ground through a relay. Use the ESP8266 to toggle the relay when you want to simulate a button press.
"Now that we have that shell script, we can call it from other places as well. iTerm2 has a feature called Triggers, which can execute actions based on text matching a regex in your terminal. So we could write a regex to listen for “Yubikey for” and have it run the same script, eliminating the need to press buttons altogether."<p>But isn't the whole idea that it shouldn't be possible to trigger it from software?
"So.. you built a button that you press that will press a button? Why not just press the button?” which was a bit infuriating because they clearly missed the whole point. “Don’t you get it? This button BAD, but this button GOOD. Me want to press GOOD button.”"<p>This is gold.
Does the yubikey sense both force AND capacitative touch?<p>Cause if it's only capacitative there is an easier way:<p><a href="https://www.youtube.com/watch?v=JDgDMBquBw0" rel="nofollow">https://www.youtube.com/watch?v=JDgDMBquBw0</a>
I’ve used various yubikeys in personal environments over the past 7 years and found them to be a gimmick rather than a useful tool.<p>They are quite versatile and can be used for many different use cases which is part of the problem in my opinion. While not a total dummy, I found yubikey software and documentation to be difficult to use and configure and a pain to find how to setup the key for common scenarios. This brings me back to ideal users, probably corporate use where a dedicated team can support users for the specific use cases.
Presses, either accidental or through phishing, with YubiKeys can leak identity, I wrote about it before. Disable OTP mode if you're not using it. <a href="https://medium.com/hackernoon/avoid-leaking-your-identity-with-yubikey-92539b6608a" rel="nofollow">https://medium.com/hackernoon/avoid-leaking-your-identity-wi...</a>
The Bloomberg terminal uses a piece of hardware that generates 2FA tokens, but requires you to scan your fingerprint each time. So we need a fake finger that also has my fingerprint, and a webcam pointed at the 2FA hardware, so I can just get my auth keys remotely and not need to carry around another dongle.
"Why have an Applescript call a shell script? I found that when I launched the shell script directly from Karabiner Elements, it opened a new instance of Terminal.app and took focus away from the window that is prompting for the YubiKey. This causes everything to run in the background."<p>Does anyone know why that is?
A little off topic: Does anyone know of a way to get the results of a yubikey press into a remote desktop session? I frequently remote desktop into laptops that are in arms reach. If I need to use the yubikey, I have to remove it and plug it into my desktop and press it, since it acts as a local keyboard.
> If you work in tech, you probably have a YubiKey<p>I have worked in tech for 10+ years and I haven’t heard about this product until today.<p>I guess it’s more likely to own a macbook/ dell / hp / etc than a yubikey.<p>Still, if someone said “If you work in tech, you probably have a macbook”, they wouldn’t be taken seriously.
I would place the yubikey on top of a small squared base made out of Sugru, therefore elevating it and making it easier to press.. If you are concerned about the stress on the usb port then you use one of those "right angle usb cable" short cables available on amazon.
Reminds me of this, "The Tinda Finger Swipes Right On Tinder So You Don't Have To"<p><a href="https://www.youtube.com/watch?v=IaoDfOaYF4w" rel="nofollow">https://www.youtube.com/watch?v=IaoDfOaYF4w</a>
Really enjoyed reading this post thanks.<p>It makes me laugh that such a small problem (pressing a yubikey at an awkward angle, which sometimes doesn't register properly) can be solved with such a delightful over engineered solution.
see also: <a href="https://smallhacks.files.wordpress.com/2012/11/camera.jpg" rel="nofollow">https://smallhacks.files.wordpress.com/2012/11/camera.jpg</a>
The one thing I don't understand with Yubikeys: doesn't leaving them plugged in at all times in your computer (which the form factor highly encourages you to do) completely defeat the purpose?
Why would one always leave the yubikey in their laptop? Isn't one of the security features supposed to be physical seperation of the key and the system when the owner isn't around?
I thought the article was going to be about how there was a serious real vulnerability in the hardware and some remote attacker could spoof the Yubikey being touched.<p>Then the article turned into a joke.
For the new yubi keys with fido support I would recommend disabling OTP it massively improved the user experience for me., in difference to TOTP OTP has done fundamental problems.
And fit reasons not affecting many people OTP is implemented by pretending to be a keyboard which is just anoying in many cases.<p>But all other operation modes (FIDO,FIDO-U2F,PIV, OpenPGP) do not have that problem.<p>So when possible I use password manager + FIDO(-U2F), where no it's password manager + TOTP using the yubikey (I plug the USB-c yubikey into my phone accessing the keys TOTP functionality through the authenticator app).
Wouldn't a really long insulated cable that you touch with your finger work? It would just carry the capacitance, and it would probably cost pennies.
No, no one should own a yubikey.<p>It's an entirely useless device. All you need is a pw manager that saves you from non-malware attacks (email compromise aside). Yubikey cannot save you from persistent malware, which makes it useless in almost all scenarios. The only hardware device that makes sense is the one with a screen (like trezor). Simple click-to-use devices carry no protections that you wouldn't otherwise get with a pw manager.
"If you work in tech, you probably have a YubiKey"<p>The author must live in some kind of bubble. This may only be true at Big Tech companies or other companies with a atypically strong security focus.
At work we use to use the old Yubi keys that were nice and long and had a good contact areas. Then they switched to the nanos and wouldn't reprogram the old ones (or even order the larger ones of the same generation, or let us pay for them ourselves).<p>You can do the entire OTP entirely in software. Just be sure that the location you place the secret is encrypted:<p><a href="https://battlepenguin.com/tech/replacing-okta-verify-with-open-source-software/" rel="nofollow">https://battlepenguin.com/tech/replacing-okta-verify-with-op...</a>