Show HN: yknotify – Notify when YubiKey needs touch on macOS (opens in new tab)

(github.com)

63 pointsnoperator1y ago29 comments

29 comments

23 comments · 9 top-level

throitallaway1y ago· 4 in thread

Interesting project, but I can't say I've ever wondered whether or not it's time to touch my Yubikey. Authenticating with a token is a very intentful process.

noperatorOP1y ago

I've found that when I'm cloning submoduled private repos via YK-backed SSH key, I'll need to touch multiple times but there's not always text in the terminal notifying me to do so. Easy to miss the small flashing green light.

gtirloni1y ago

Is it possible to add it to ssh-agent once?

1 more reply

wkat42421y ago

I have because I use it for a ton of stuff. Password manager, sudo locally, ssh logins, sudo remotely, openpgp decrypt etc.

It happens sometimes that I forget that's what it's waiting for. I'm no longer on Mac though. I have KDE. I don't always see the key flashing either because sometimes it's buried under the mess on my desk (I know...)

It's a bit annoying that yubikeys don't just trigger a hid event or something, as far as i understand the only way to tell is by looking for some obscure log entries.

likeabatterycar1y ago

Yubikey is an event based token. You tap it with explicit intent. If you aren't expecting to tap it, then the fail safe is you don't. It works that way by design.

You can't use a screwdriver handle as a hammer then complain it doesn't work to your expectations.

2 more replies

sureIy1y ago· 4 in thread

Question: why use YubiKey on a Mac with Secure Enclave?

isomorphic1y ago

Portability. I use YubiKeys with desktop Macs, MacBooks, iPads, and iPhones. The alternative would be to create (Secure Enclave) keys in each of those devices and register each of those keys with each thing requiring authentication... which could take a while.

I guess the alternative is something like Passkeys synchronized via iCloud Keychain. Hopefully Apple is encrypting the Passkey key material within the Secure Enclave using each other Secure Enclave's public key. Otherwise it kind of defeats the whole purpose of having a Secure Enclave. (If I remove a YubiKey from a computer, I have some assurance that computer can't authenticate with YK-controlled accounts.)

sureIy1y ago

> Hopefully Apple is encrypting the Passkey key material

iCloud Keychain has always been e2e encrypted. If you lost and recovered your Apple password, you'd lose all your stored passwords.

ivantop1y ago

We support both at work (touchid and yubikey) and often I have my laptop in clamshell mode, so in that sense it’s easier to use the yubikey. Probably not the best reason, but works for me!

Shadowmist1y ago

I also do clamshell but I bought a Magic Keyboard with Touch ID.

philsnow1y ago· 3 in thread

I only wanted to say I appreciate the F-clef in your shell prompt:

  𝄢 yknotify
  {"ts":"2025-02-12T20:09:03Z","type":"FIDO2"}
  {"ts":"2025-02-12T20:09:14Z","type":"OpenPGP"}

pimlottc1y ago

Must be a bass shell user

kazinator1y ago

We can think about additionally having a key signature appear when the yubikey is being touched. The longer you hold it the more sharps. Or sometimes flats.

noperatorOP1y ago

PRs welcome ;)

moribvndvs1y ago· 2 in thread

Interesting. I haven’t had this problem, because every time I need to touch the yubikey macOS pops a giant fucking dialog that requires 2-3 clicks before it lets me tap it.

br0wnr1c31y ago

I hate that dialog, but I found out that you can just tap the yubikey anyway (before clicking) and it'll skip the step of "no, I don't want to scan a QR code with my iPhone"

moribvndvs1y ago

Ah, thanks!

immibis1y ago· 1 in thread

Shouldn't you only touch your YubiKey when you've just done something that you know requires you to touch your YubiKey? Otherwise, you're just authenticating anything that asks, including the virus.

akerl_1y ago

The most common way I've seen this come up is for GPG signing of git commits. The flow is roughly: sign your first commit of the day -> you get a PIN popup, fill it in, and tap the Yubikey. Later in the day, you commit again -> your PIN is cached, so there's no reminder that you need to tap, other than the key LED blinking. If you don't clue in to what's going on, eventually it'll time out.

So this tool gives you the reminder to say "hey; you're doing a thing that's stalled waiting for your tap".

It reminds me of the way my car pops up on the display to say "hey, make sure to check the back seat" when I turn it off.

WhyNotHugo1y ago

For Linux, see: https://github.com/maximbaz/yubikey-touch-detector

alpb1y ago

I'm looking at the source code but not seeing any notification popups etc. Where's the notification mechanism beyond writing to stdout? Am I misunderstanding the project's use case?

theasisa1y ago

Awesome! I had a look at making something similar but stumbled into issues with looking at file updates with fnotify as it isn't supported on OSX. This is the answer to my prayers! Will definitely add some notification to use this so I get a visual/auditory signal to touch my Yubikey.

Thank you so much for making this

wutwutwat1y ago

sweet, I can't wait to download something that will scan my system's logs looking for specific security signals, and then take action when it sees certain ones!

Joking aside, as others have said. I've never been shocked to learn something was waiting for my touch because it's always a thing I've initiated and am usually saying "cmon cmon" while waiting for the key to become ready _for_ me to touch it.

If you want to write a program that notifies my yubikey that a human is waiting for it to light up so they can touch it, then we'll be talking :)

j / k navigate · click thread line to collapse

29 comments

23 comments · 9 top-level

throitallaway1y ago· 4 in thread

Interesting project, but I can't say I've ever wondered whether or not it's time to touch my Yubikey. Authenticating with a token is a very intentful process.

noperatorOP1y ago

gtirloni1y ago

Is it possible to add it to ssh-agent once?

1 more reply

wkat42421y ago

I have because I use it for a ton of stuff. Password manager, sudo locally, ssh logins, sudo remotely, openpgp decrypt etc.

It's a bit annoying that yubikeys don't just trigger a hid event or something, as far as i understand the only way to tell is by looking for some obscure log entries.

likeabatterycar1y ago

Yubikey is an event based token. You tap it with explicit intent. If you aren't expecting to tap it, then the fail safe is you don't. It works that way by design.

You can't use a screwdriver handle as a hammer then complain it doesn't work to your expectations.

2 more replies

sureIy1y ago· 4 in thread

Question: why use YubiKey on a Mac with Secure Enclave?

isomorphic1y ago

sureIy1y ago

> Hopefully Apple is encrypting the Passkey key material

iCloud Keychain has always been e2e encrypted. If you lost and recovered your Apple password, you'd lose all your stored passwords.

ivantop1y ago

We support both at work (touchid and yubikey) and often I have my laptop in clamshell mode, so in that sense it’s easier to use the yubikey. Probably not the best reason, but works for me!

Shadowmist1y ago

I also do clamshell but I bought a Magic Keyboard with Touch ID.

philsnow1y ago· 3 in thread

I only wanted to say I appreciate the F-clef in your shell prompt:

  𝄢 yknotify
  {"ts":"2025-02-12T20:09:03Z","type":"FIDO2"}
  {"ts":"2025-02-12T20:09:14Z","type":"OpenPGP"}

pimlottc1y ago

Must be a bass shell user

kazinator1y ago

We can think about additionally having a key signature appear when the yubikey is being touched. The longer you hold it the more sharps. Or sometimes flats.

noperatorOP1y ago

PRs welcome ;)

moribvndvs1y ago· 2 in thread

Interesting. I haven’t had this problem, because every time I need to touch the yubikey macOS pops a giant fucking dialog that requires 2-3 clicks before it lets me tap it.

br0wnr1c31y ago

I hate that dialog, but I found out that you can just tap the yubikey anyway (before clicking) and it'll skip the step of "no, I don't want to scan a QR code with my iPhone"

moribvndvs1y ago

Ah, thanks!

immibis1y ago· 1 in thread

Shouldn't you only touch your YubiKey when you've just done something that you know requires you to touch your YubiKey? Otherwise, you're just authenticating anything that asks, including the virus.

akerl_1y ago

So this tool gives you the reminder to say "hey; you're doing a thing that's stalled waiting for your tap".

It reminds me of the way my car pops up on the display to say "hey, make sure to check the back seat" when I turn it off.

WhyNotHugo1y ago

For Linux, see: https://github.com/maximbaz/yubikey-touch-detector

alpb1y ago

I'm looking at the source code but not seeing any notification popups etc. Where's the notification mechanism beyond writing to stdout? Am I misunderstanding the project's use case?

theasisa1y ago

Thank you so much for making this

wutwutwat1y ago

sweet, I can't wait to download something that will scan my system's logs looking for specific security signals, and then take action when it sees certain ones!

If you want to write a program that notifies my yubikey that a human is waiting for it to light up so they can touch it, then we'll be talking :)

j / k navigate · click thread line to collapse