Remix.run Logo
tux3 9 days ago

If all you want is to make a bot that can use passkeys automatically, add a transistor between your Yubikey's touch button and GND. When you turn the transistor on, the capacitive sensor is activated.

Now the Yubikey is just an API you can call, websites cannot tell the difference. You can't export keys, but a bot can add new keys after using existing keys to log in.

withinboredom 9 days ago | parent [-]

this doesn't work on stolen aws accounts though /s

jrockway 9 days ago | parent [-]

You can proxy all the underlying USB communications to a physical device. Allowing attestation in the spec was not an anti-bot measure.