Yeah... isn't one benefit of a yubikey that a secret must be acquired by some very physical and intentional means? If my laptop/password is compromised, then they still can't log in because they need my secret token from the yubikey. Well, if having that secret token is just one curl call away if they're on the same network then its no longer a very physical and intentional safeguard.
I know... layers of unlikelihood.. but I'd probably opt for a physical "good button" gapped from my computer as sort of a closed electrical extension of my finger.
> Congratulations, you've defeated the purpose of having a YubiKey.
Even a virtual 2fa button is useful. It prevents people using your stolen credentials to login to websites unless you click the button, even if it's just a virtual button.
Sure your computer can be compromised, but it's probably still more secure than sms 2fa.
I'd hazard saying that the purpose of a YubiKey is to provide two factor authentication. A YubiKey acts as an item, posession of which implies identity. When you allow for the YubiKey to be activated without human interaction, it's moved from domain of posession into the domain of knowledge - identifying party needs to know where to knock, not to possess they key. It's no better than appending the URL at the end of your password.
If you allow for a YubiKey, or any other physical artifact in that matter, to be remotely invoked it negates its utility as an authentication factor in the physical domain.
It depends on what protects the key. If the problem is being unable to duplicate it, you could protect remote access with a different YubiKey or some other second factor.
And the setup in the article isn't even remote access. If the only way it can be triggered is a local button press, you're golden.
Exactly. At one of my work places, we needed 2FA to log into a vendor portal. So we stuck the username, password, and TOPT in Vault which is protected by corporate AD password only.
I know... layers of unlikelihood.. but I'd probably opt for a physical "good button" gapped from my computer as sort of a closed electrical extension of my finger.