[tomatocracy]

Agreed - in particular because PIV doesn’t prevent other apps subsequently using the device as gpg-agent does (necessitating unplugging and replacing it in the USB port).

On the flip side, with PIV there’s no way I’ve seen to have it allow access for a short period of time (eg the way gpg can cache the pin for a set number of seconds) instead of per request which can get a bit annoying if you are invoking ssh repeatedly (which I seem to do a fair bit).

Would also reference the excellent yubioath tool for adding TOTP passwords on sites which don’t support FIDO/U2F - it’s very very easy to use and if you have an Android phone and an NFC enabled yubikey you can use there too.

https://developers.yubico.com/yubioath-desktop/

[LIV2]

You can configure "--touch-policy=cached" when importing/generating a private key using the cli PIV management utility which will cache touches for 10 seconds Not sure why it's not exposed in the GUI though

https://developers.yubico.com/yubico-piv-tool/Manuals/yubico...

[ryukafalz]

>Agreed - in particular because PIV doesn’t prevent other apps subsequently using the device as gpg-agent does (necessitating unplugging and replacing it in the USB port).

I believe this is no longer the case? At least with current GPGTools on macOS, I leave a Yubikey Nano in one of my USB ports and use it for both GPG and U2F without issue.