[The technique described here is obsolete. Please see this update.]
I’ve recently started using a YubiKey NEO for two-factor authentication for sites that support it.1
Because I am using my YubiKey for more and more sites, I tend to leave it plugged in whenever I am in front of a computer for an extended period of time. The first day I was using the key it became clear that this was going to be a problem, when I left it plugged into my computer at work and didn’t realize it until I’d gotten home. Yes, new technology leads to new problems, but problems that are created by technology can be solved by technology too. Here’s how I solved the “Don’t forget your YubiKey at work” problem.2
In a nutshell, I am generating push notifications from my computer to my phone every time I plug in or unplug my YubiKey, reading those notifications in the Android Tasker app to to track whether it’s plugged in, and using Tasker to alert me if I walk away from my computer when it is. I explain in detail below how each of these pieces works.
Set up push notifications from my computer to my phone
On my phone, I’ve installed the Notify app from mash, which is just a generic notification receiver which generates a unique ID on the phone when it is installed. This ID can then be used to send push notifications to that specific phone.
On my computer, I’ve installed the notify-cli Node package, which knows how to send notifications to the app, and registered my unique ID as root (sudo -h notify -r phone-unique-ID)
.
If you do those two things, then sudo -H notify -t "Hello, world."
should cause a notification to appear on your phone.
Set up my computer to notify my phone whenever my YubiKey is plugged in or unplugged
This has four pieces:
- a shell script that does the notifying;
- a
systemd
service that invokes the shell script; - a
udev
rule that triggers the service; and - a
systemd
timer that also triggers the service once per minute, just in case theudev
rule doesn’t work.
The shell script
This is installed as /usr/local/bin/yubikey-monitor.sh
:
#!/bin/bash -e export HOME=$(eval echo "~$(whoami)") FLAG=/var/run/yubikey-watcher trap "rm -f \"$FLAG.lock\"" EXIT lockfile -1 -l 5 "$FLAG.lock" check_yubikey() { usb-devices 2>/dev/null | grep -q -s -i -w yubikey } if check_yubikey; then ACTION="add" else ACTION="remove" fi STATE=$(cat $FLAG 2>/dev/null || :) if [ "$ACTION" = "add" ]; then if [ "$STATE" != "plugged" ]; then notify -t "YubiKey is plugged in" if [ "$STATE" = "just-plugged" ]; then echo "plugged" >| $FLAG else echo "just-plugged" >| $FLAG fi fi elif [ "$STATE" != "unplugged" ]; then notify -t "YubiKey is not plugged in" if [ "$STATE" = "just-unplugged" ]; then echo "unplugged" >| $FLAG else echo "just-unplugged" >| $FLAG fi fi
The script is written to generate two notifications every time the YubiKey is plugged in or unplugged, just in case one of the notifications gets lost. That’s probably overkill, but shrug.
The systemd
service
This is installed as /etc/systemd/system/yubikey-monitor.service
, after which systemctl daemon-reload
is run to tell systemd
to load it:
[Unit]
Description=Check for inserted Yubikey
StartLimitIntervalSec=0
[Service]
Type=exec
ExecStart=/usr/local/bin/yubikey-monitor.sh
The udev
rule
This is installed as /etc/udev/rules.d/50-yubikey.rules
, after which udevadm control --reload-rules
is run to tell udev
to reread all of its rules.
ATTRS{idVendor}=="1050", ACTION=="add|remove", RUN+="/bin/systemctl start yubikey-monitor.service"
The systemd
timer
This is installed as /etc/systemd/system/yubikey-monitor.timer
, after which systemctl daemon-reload
is run to tell systemd
to load it:
[Unit]
Description=Check for inserted Yubikey every minute
[Timer]
OnStartupSec=60
OnUnitActiveSec=60
[Install]
WantedBy=timers.target
Process the notifications in Tasker
Once you’ve got the computer generating notifications to your phone, you need to configure the phone to process the notifications. I’m using the AutoNotification app, which integrates with Tasker, to do that. Here are the relevant Tasker configs:
Profile: YubiKey Plugged In (37)
Event: AutoNotification Intercept [ Configuration:Event Behaviour: true
Notification Type: Only Created Notifications
Notification Id: 1
Notification App: Notify
Notification Text: YubiKey is plugged in ]
Enter: Set YubiKey Variable (34)
Profile: YubiKey Unplugged (38)
Event: AutoNotification Intercept [ Configuration:Event Behaviour: true
Notification Type: Only Created Notifications
Notification Id: 1
Notification App: Notify
Notification Text: YubiKey is not plugged in ]
Enter: Clear YubiKey Variable (36)
Exit: Remove YubiKey Reminder (33)
Task: Set YubiKey Variable (34)
A1: Variable Set [ Name:%YUBIKEY To:1 Recurse Variables:Off Do Maths:Off Append:Off ]
A2: AutoNotification Cancel [ Configuration:Other Id: %anid
Package: %anpackage
Tag: %antag Timeout (Seconds):20 ]
Task: Clear YubiKey Variable (36)
A1: Variable Clear [ Name:%YUBIKEY Pattern Matching:Off Local Variables Only:Off ]
A2: AutoNotification Cancel [ Configuration:Other Id: %anid
Package: %anpackage
Tag: %antag Timeout (Seconds):20 ]
Task: Remove YubiKey Reminder (33)
A1: Notify Cancel [ Title:Don't Forget Your YubiKey Warn Not Exist:Off ]
Notify me when I walk away from my computer
Finally, these additional Tasker configs generate a notification (which goes to my Fitbit) and a silent vibration when I walk ten steps away from my computer, or a really loud alert when I walk fifty steps away:
Profile: YubiKey Soft Reminder (39)
Event: Steps Taken [ Number:10 ]
State: Variable Value [ %YUBIKEY ~ 1 ]
Enter: Quiet YubiKey Reminder (30)
Profile: YubiKey Loud Reminder (41)
Event: Steps Taken [ Number:50 ]
State: Variable Value [ %YUBIKEY ~ 2 ]
Enter: Loud YubiKey Reminder (40)
Task: Quiet YubiKey Reminder (30)
Run Both Together
A1: Notify [ Title:Don't Forget Your YubiKey Text:Don't Forget Your YubiKey Icon:null Number:0 Permanent:Off Priority:5 ]
A2: Vibrate Pattern [ Pattern:0,1000,250,1000,250,1000 ]
A3: Variable Set [ Name:%YUBIKEY To:2 Recurse Variables:Off Do Maths:Off Append:Off ]
Task: Loud YubiKey Reminder (40)
Run Both Together
A1: Morse [ Text:oo Frequency:4000 Speed:80 Amplitude:50 Stream:4 ]
A2: Variable Set [ Name:%YUBIKEY To:3 Recurse Variables:Off Do Maths:Off Append:Off ]
Conclusion
So, there you have it. My phone is now alerting me whenever I walk away from my computer and leave my YubiKey behind, first quietly and then loudly if I don’t pay attention, You can do it too, assuming that you’re as ridiculously obsessive about stuff like this as I am and willing to take the time to set it up.
Please email me or comment if you found this useful!
P.S. Don’t forget to back up your Tasker configuration (“Data” -> “Backup” from the home screen menu) and save the backup file somewhere off your phone, so you don’t have to rebuild everything if you lose or break it!
P.P.S. My first attempt at solving this problem involved having Tasker alert me if I strayed so far from my computer that it was no longer visible to my phone via Bluetooth. This proved to be quite unreliable; I was unable to get Tasker to reliably detect a nearby Bluetooth device, causing both false positives (i.e., my phone alerting me when I was still standing at my desk) and false negatives (i.e., my phone failing to alert me when I walked away from my desk without my YubiKey). The notification-based solution described here appears, at least so, far to be much more reliable.
1A quick primer, for those of you who are unfamiliar… The YubiKey sends two-factor authentication information to web sites when I either tap the button on the key, when it is plugged into my computer, or tap it on my phone’s NFC sensor, if I’m logging into somewhere on my phone. Furthermore, for sites that support Universal 2nd Factor (U2F) authentication, the YubiKey adds an additional layer of security, confirming the identity of the web site I’m logging into to ensure that I’m not being phished.
2If someone else has already solved this problem and I’m a fool to have wasted my time on it ;-), please feel free to let me know in a comment below. I’m always happy to throw away my own hacks and use somebody else’s instead, if it means one less hack for me to have to maintain.
Pingback: How I remember my YubiKey, take three – Something better to do
Pingback: How I remember my YubiKey – Something better to do