Ask HN: Why aren't hardware passkeys used for access token creation?

A Hacker News user proposes using hardware passkeys like YubiKey for short-lived access token creation in CLI tools for AI services and GitHub, arguing it would enhance security by limiting token lifespan and reducing attack surface. The user currently manually regenerates tokens daily and calls for native FIDO2 support in CLI workflows.

So I was thinking, with all these sophisticated attacks on package managers, that I should use a yubikey more. One problem I wanted to solve for myself, is that each morning, open my fine grained access token tab on github, regenerate the key for the gh cli with 1 day expiry. Paste this into my small cli wrapper, and now even if someone gained access to my filesystem, my private key is on the hardware key, my gh cli token will expire shortly. It got me thinking, why isnt there CLI level fido2 support for common AI services and github for example? Instead of a long lived key when you open claude, why can't it just require a touch of the hardware key, generate a temporary 1 hour key for use. Claude / Github only has the hardware public key and any attack stealing any keys can not do much damage. Instead to do this workflow right now, I have to manually open their site login via passkey on the ones that support it , and regen a key with short expiry, and paste back to tool. Comments URL: https://news.ycombinator.com/item?id=48555543 https://news.ycombinator.com/item?id=48555543 Points: 1 Comments: 0