Cobranded YubiKeys? Weird flex but ok.<p>Seriously though if you are letting agents do whatever they want without a PR process that requires hardware authentication or proof of presence, you are putting your code and your org at high risk.
> want without a PR process that requires hardware authentication or proof of presence<p>Just curious, what do you use for this?<p>I built OTP Guard [1] a few years ago for exactly this problem, although I haven't seen any alternatives in the space. Does GitHub have something built-in now?<p>The original framing was more "local malware compromising your GitHub account" ... it never occurred to me that the malware could be a LLM. I really should update the website.<p>[1] <a href="https://otpguard.com" rel="nofollow">https://otpguard.com</a>
> Cobranded YubiKeys<p>More interesting than that even, a tier of YubiKeys that does not exist outside of this cooperation.<p>The supported features sit between a YubiKey 5C and a Security Key C and I did not find any other way to purchase this tier.
Does this apply to anyone who verified their ID to get access to the slightly less restricted Codex versions, or only to security professionals who have the almost-entirely unrestricted version?
Dumb question: is using the built in passkey support on my iPhone not considered “hardware-backed”, since iPhone is using device biometrics?
I hope that at some point this is not developing to remote attestation when only "permitted" devices can use the models.
It’s an advertisement by Yubikey - the hardware key manufacturer
I was actually thinking they would have to do this. Having to mail a physical token to a valid address is a extremely powerful access control method.