| Malware running on your computer can engineer a situation where you would naturally press that without suspecting anything. 1. Malware logs you out of github.com 2. It waits for you to navigate to the login page 3. It initiates an SSH/signing operation requiring physical touch 4. You hit login on github.com, a 2nd FIDO operation is queued up 5. You press the yubikey button, confirming the SSH operation 6. "Nothing happens", so you press it again to log in 7. You're now logged in, and your SSH credentials have just been hijacked. Or it could just inject itself into your shell profile, and do this the next time you ssh anywhere. You never really know what you're confirming so Yubikey's threat model implicitly depends on the host device being trustworthy. This is why hardware wallets for crypto have a physical display to confirm the address and the amount before signing the transaction. |