Pull request on phone makes this pointless

[LanceLake]

Question

So perhaps I'm missing a setting here.. But when I request a token from my phone using the extension, then the phone asks me to approve it.

If I need to go to the phone to get the code, then I might as well just do that anyway and not use the extension.

Can we have a setting that will auto approve from any already added browser?

Acknowledgements

• [X] This issue is not a duplicate of an existing question.
• [X] I have chosen an appropriate title.
• [X] All requested information has been provided properly.

[msheakoski]

Auto-approving a 2FA code is insecure since it is no longer a second factor in the authentication process. Your authentication is secured by your username/password being "what you know" and the code on your phone being "what you have in your possession". A malicious actor is highly unlikely to have access to both of those at the same time. Bypassing the manual approval of the code would end up being the same level of security as having 2FA turned off.

[LanceLake]

I disagree.

I have 1 computer. I have 1 phone. If an attacker gains access to my computer, he could for sure use that as a loophole and get the codes. But if he isn't at (or inside) my computer, then he doesn't have my phone to do this.

Perhaps have a setting that says, "I am at my computer, allow for retrieving of the code via the phone" that I can turn on for a certain time period.

It's a "risk vs. convenience" argument. My computer is pretty well protected against any kind of logging in by someone else. While I am using the computer, I'd rather the convenience that if the app gets a request from my IP and from my computers mac address or whatever else you want to use to make sure THIS computer made the request, then allow a toggle for me to just send it to the computer (even allowing the alert to show up on the phone just in case) or have a "remember this decision until the phone is turned off" even would help.

[LanceLake]

and just to make it clear, my phone is not near my computer. I am disabled and the set up that I have does not have room for a cell phone without causing issues. So I have it on my bed nightstand. So when I want to use it, I request it, I get up and walk to the nightstand (hard to do for me), select yes to approve it, walk back to my seat and get set up again and then copy and paste it (and hope I can do that within 30 seconds.

So I'd like the option to allow for convenience when I know I'm taking a risk. I think if the request came from my computer and the app was sure of that, then risk is minimized.

[GrzegorzZajac000]

@LanceLake @msheakoski is right, and furthermore, storing secrets in the browser extension's storage is not safe and the secrets could be read by malware. You can check also my response in https://github.com/twofas/2fas-browser-extension/issues/22

[LanceLake]

Can you then tell me what

@LanceLake @msheakoski is right, and furthermore, storing secrets in the browser extension's storage is not safe and the secrets could be read by malware. You can check also my response in #22

Can you then tell me what the point of the extension is if I have to check my phone anyway?

[GrzegorzZajac000]

@LanceLake Extension is just a shortcut to typing the correct token - you don't have to look for the appropriate service on the list and rewrite manually the token. This is the best, secure and convenient option for now.