So I was thinking, with all these sophisticated attacks on package managers, that I should use a yubikey more.

One problem I wanted to solve for myself, is that each morning, open my fine grained access token tab on github, regenerate the key for the gh cli with 1 day expiry.

Paste this into my small cli wrapper, and now even if someone gained access to my filesystem, my private key is on the hardware key, my gh cli token will expire shortly.

It got me thinking, why isnt there CLI level fido2 support for common AI services and github for example?

Instead of a long lived key when you open claude, why can't it just require a touch of the hardware key, generate a temporary 1 hour key for use.

Claude / Github only has the hardware public key and any attack stealing any keys can not do much damage.

Instead to do this workflow right now, I have to manually open their site (login via passkey on the ones that support it), and regen a key with short expiry, and paste back to tool.