YubiKey is a tool for [[Multi-factor authentication]]. It supports [[GNU Privacy Guard|GnuPG]] keys (smartcard). > The biometric authentication requires power that can't be provided via induction over [[Near-field communication]] > Your YubiKey is like your house key: it contains the private key needed to login, but it doesn't contain your username or email. If I find a house key on the ground, I can't break into that house without the address. It's nice to use [[Alfred]] to get [[Multi-factor authentication]] codes. See [alfred-ykman-oath](https://github.com/Ch00k/alfred-ykman-oath) or [alfred-yubikey-otp](https://github.com/robertoriv/alfred-yubikey-otp) (the best one). You can list all your codes: ``` ykman oath accounts list ``` To get a code: ``` ykman oath accounts code Jafs Touch your YubiKey... Jafs:[email protected] 123456 ``` Use [[Homebrew]] to install `ykman`: ``` brew install ykman ``` You can send notifications on [[macOS]] with `osascript`: ``` osascript -e 'display notification "Copied TOTP code to clipboard" with title "ykman oath"' ``` All this can be done with [[pass]] too (with the TOTP plugin). ## SSH keys natively Read [GitHub Now Supports SSH Security Keys](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) and [Security keys are now supported for SSH Git operations](https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/). It mentions you need a recent version of [[OpenSSH]] and `libfido2`: ``` brew install openssh libfido2 ``` Create a PIN for the [[FIDO]] functionality (which is a requirement for the next step): ``` ykman fido access change-pin ``` Then: ``` ssh-keygen -t ecdsa-sk -O verify-required ``` Now you will be asked for a passphrase, PIN and physical presence every time you use the key.