Try Automating a YubiKey Button Press


A few weeks ago, my daughter (Noa, 9) and son (Ethan, 7) sat in my home office minding their own business (iPads).

Then my son asked me:

  • Son“Dad, why do you need to touch that “thing” over there?”
  • Me“Oh, that’s a great question! That “thing” is called “YubiKey”. It is an easy and fast way to secure and access my accounts. For example, to access my Gmail account, I need to enter a password AND physically press the key
  • Son: “Physically press the key? mmm… can’t you ask Alexa or Siri?” (He is a HUGE fan of Alexa)
  • Me: “hehe, no no no, the YubiKey was actually designed for a human touch. The gold element you see there is meant to respond to a full finger touch
  • Daughter: “Dad, why didn’t you automate that??” (She knows me well 😉)
  • Me: “First, I don’t think that it can be automated… Second, why should I automate a YubiKey press??
  • Daughter: “Why not? It sounds like a fun challenge. No??

How does the YubiKey work? 🤔

YubiKey is a device that makes two-factor authentication using a single button. Each YubiKey device has a unique configuration to generate unique codes that confirm your identity.

On a very high level, the YubiKey has a capacitive touch sensor that measures your body’s capacitance to the ground (i.e., when you touch the plate, you are increasing capacitance).

Each capacitive sensor has a specific configuration/algorithm to recalibrate. Usually, once you un-touch the plate (i.e., remove the additional capacitance), it will reset the recalibration timer.

In addition to the recalibration algorithm, the capacitive touch area and capacitive touch sensitivity are pre-configured and cannot be modified.

So… Can we automate a YubiKey button press? 🙄 

I guess that the answer is No & Yes. Let’s answer the following questions:

  • Can we script the YubiKey button press – No
  • Can we leverage a “Smart Switch Button Pusher to push a button – Yes
  • Can we leverage API calls to control the “Smart Switch Button Pusher” – Yes
  • Can we script the API calls – Yes
  • And the biggest question of all…  Can we “trick” the YubiKey capacitive touch sensor to work with OTHER objects than a human figure? – Yes (There are several ways to do that. The common ground to all is the need to hook the capacitive sensor towards the ground, so it will “assume” it’s conductive as a human figure/enough).

Automation “Ingredients” 🗒

  1. YubiKeyYubiKey 5 or 5C (I used the 5C NFC)
  2. Electricity conductor (I used a standard “emergency door pin key”)
  3. Capacitive sensor trigger – I used a headphone cable (Headphone wires are negatively charged and usually coated with rubber. The friction of the wires is responsible for the induction of charge. When the Headphone jack touches the capacitive touch, it is considered as a touch)
  4. Smart Switch Button Pusher (I used a SwitchBot, but others will work as well)
  5. Lego bricks 🙂
  6. curl/AppleScript/Python/PowerShell (What works best for you?)

⭐️ And the result is… YubiKey Auto-Button Presser! ⭐️

The Setup:

YubiKey

The Code:

curl:

do shell script "curl -X POST https://api.switch-bot.com/v1.0/devices/E3233xxxx/commands --header 'Authorization: Bearer xxxx' --header 'Content-Type: application/json' --data-raw '{"command": "turnOn", "parameter": "default", "commandType": "press"}'"

Python:

import requests
import json
​
url = "https://api.switch-bot.com/v1.0/devices/E3233xxxx/commands"
​
payload = json.dumps({
"command": "turnOn",
"parameter": "default",
"commandType": "press"
})
headers = {
'Authorization': 'Bearer xxx',
'Content-Type': 'application/json'
}
​
response = requests.request("POST", url, headers=headers, data=payload)

PowerShell:

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Bearer xxx")
$headers.Add("Content-Type", "application/json")
​
$body = "{`n `"command`": `"turnOn`",`n `"parameter`": `"default`",`n `"commandType`": `"press`"`n}"$response = Invoke-RestMethod 'https://api.switch-bot.com/v1.0/devices/E3233xxxx/commands' -Method 'POST' -Headers $headers -Body $body
$response | ConvertTo-Json

The videos:

Triggering a YubiKey button press using curl command

Triggering a YubiKey button press using AppleScript

Triggering a YubiKey button press using voice command

Final Thoughts 💡

Yes, it was a fun challenge, and I could automate the YubiKey button press. But does it really need to be automated? Well, my automation point of view is:

  • Not EVERYTHING needs to be automated
  • There is no single perfect automation tool. Select a tool that best serves you and the users
  • Don’t reinvent the wheel, leverage existing tools, solutions, and resources

What needs to be automated? For example (trying to keep it simple 🙂):

  • Time-consuming and repetitive tasks
  • Tasks prone for human-errors
  • Tasks that need to be monitored/alerted

Funny Anecdote 
I’m sitting for too many hours… Yes, I have a standing desk, but I’m “forgetting” to use it. Yes, I even scheduled reminders to stand and stretch, but I keep clicking on “dismiss.” So, my latest “innovation” is to connect the YubiKey using a long USB-C cable. Every time I need to press the YoubiKey button, I MUST stand up and walk (a few steps) to the YubiKey.

Let’s see how well that works… 😉

Related resources:

  • I am using Cisco Duo multi-factor authentication (MFA) for all my sensitive apps and data, which is the simplest and most effective way to make sure you are who you say you are.
  •  Want to explore more about security, YubiKey, and MFA?
    Check out the DevNet Security Dev Center.
  • Want to learn more about how YubiKey can be used with IoT-related projects and APIs?
    Check out the DevNet IoT Dev Center.

We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook Developer Video Channel

Share:





Source link