bug: Always asking for approval from phone

[ItielOlenick]

Browser info

Chrome Version 121.0.6167.184 (Official Build) (x86_64)

Browser extension version

Version 1.6.3

Website

https://onelogin.com

Bug description

No matter how manny times i approve the requests, every single time i need to take out my phone and approve the it again.

Solution

Have a way to permanently trust my browser on my PC/mac. In addition all of this will be solved if it was possible to have the codes visible in the browser extension.

Additional context

No response

Acknowledgements

• [X] This issue is not a duplicate of an existing bug report.
• [X] I understand that security vulnerabilities should be reported to security@2fas.com instead of on GitHub.
• [X] I have chosen an appropriate title.
• [X] All requested information has been provided properly.

[KobeW50]

Have a way to permanently trust my browser on my PC/mac.

Imo, a better approach would be to have the browser extension request a password from you when you want to auto-fill the code. The entered password will be securely transmitted to the instance running on the mobile device, which will then verify the password, and return the code(s) for that site.

Edit: I don't know if the password is vulnerable while entering it.

[ItielOlenick]

That defeats the purpose of having a browser extension. This approach will essentially replace the need to authenticate with a password and a code from a trusted device with 2 passwords.

Why not let me trust my device? or better yet just display the codes? The fact that i am coming from a trusted device (browser on my own computer) should be enough.

[KobeW50]

Check the comments of this issue

https://github.com/twofas/2fas-browser-extension/issues/22

[ItielOlenick]

If there is no intention in letting the users choose this option and accept the risks, I think you should at least let them trust their browser so there is no need to check the phone each time the extension is being used. Otherwise, what is gained by having the browser extension?

[Tipoff4317]

I am a user, not the developer. I find the current browser extension functionality useful enough to select 2FAS over Aegis.

I understand that the extension is a "shortcut" to get the code without having to remember/type in the code manually. Potentially, it could be a "phishing-resistent" method for entering the code, i.e. using an algorithm to check if the service you are entering the code matches the service that you "registered" with. I like the fact that the phone which has the TOTP secrets is the authority approving the request, seeing a one-to-one request/approval interaction. I would be less comfortable of having this done in an automated manner where there is a request (from the network) and an automatic approval because it seems more error/exploit prone than the one-on-one interaction.

There is no need to use this extension. Some people who find it inconvenient probably want to have a synced desktop-based TOTP generator, just like the outgoing desktop Authy.

[GrzegorzZajac000]

@ItielOlenick We don't have desktop app because it would require sending Secret Keys to the desktop, which isn't safe. Security is our top priority here, and we don't want to compromise on it. There are many others that do not pay much attention to that and there is no reason for us to do another one like that 🙂 I hope you understand us, and thanks for your comment.

[ItielOlenick]

Thank you all for making the actual use of the app clear. It might be a good idea to make it a bit clearer to new users, as I'm sure you will see a great increase of users (and in turn confused/disappointed users) after the EOF of the Authy desktop app.

[KobeW50]

@GrzegorzZajac000, would this be a plausible method of safely being able to use the extension without needing to physically approve the request on the mobile device?

have the browser extension request a password from you when you want to auto-fill the code. The entered password will be securely transmitted to the instance running on the mobile device, which will then verify the password, and return the code(s) for that site.

[GrzegorzZajac000]

@KobeW50 This solution also requires confirmation of the action on your phone.

[KobeW50]

@KobeW50 This solution also requires confirmation of the action on your phone.

Why isn't the password enough of a confirmation that the true owner of the token is using the browser extension?

Currently, the factor of authentication to approve browser extension requests is having physical access to the 2FAS app on the mobile device. Why can't a password on the browser extension replace this factor?

[GrzegorzZajac000]

@KobeW50 We can't send password to mobile device without push message. So we would have to ask the user to accept the push anyway.