Remix.run Logo
jmole 2 hours ago

Cobranded YubiKeys? Weird flex but ok.

Seriously though if you are letting agents do whatever they want without a PR process that requires hardware authentication or proof of presence, you are putting your code and your org at high risk.

jallmann 2 hours ago | parent | next [-]

> want without a PR process that requires hardware authentication or proof of presence

Just curious, what do you use for this?

I built OTP Guard [1] a few years ago for exactly this problem, although I haven't seen any alternatives in the space. Does GitHub have something built-in now?

The original framing was more "local malware compromising your GitHub account" ... it never occurred to me that the malware could be a LLM. I really should update the page.

[1] https://otpguard.com

jmole an hour ago | parent [-]

My simple process is:

0) agent gets its own separate git user and ssh key, separate from mine

1) branch protection rules on main, only I can approve merges into main

2) any other ssh key uses (interactive login, direct git access, etc.) are ed25519-sk keys and require a touch on yubikey.

TBH, the biggest hole is that it can be unclear exactly what process is requesting a touch on the yubikey. Apple has a head start here because they can lock down the TouchID UX relatively well, but unfortunately they don’t seem to care about building a polished developer experience for 2FA on sensitive tasks.

They are probably waiting for someone else to build the right solution and then copy/steal it.

kirab 2 hours ago | parent | prev | next [-]

> Cobranded YubiKeys

More interesting than that even, a tier of YubiKeys that does not exist outside of this cooperation.

The supported features sit between a YubiKey 5C and a Security Key C and I did not find any other way to purchase this tier.

toomuchtodo an hour ago | parent | prev [-]

Cobranding is just good marketing at minimal incremental spend when you're running off a batch of hardware.

https://news.ycombinator.com/item?id=13635798