What about 2FA browser extensions?

I wonder how they exactly work and would you use such extensions? The big advantage is that you don't need to use your smartphone anymore to get 2FA codes. But I haven't got an idea if this will work with every website that supports authenticator apps like from Google, Authy and Microsoft. The one from 2Stable doesn't work yet on Windows, from what I understood.

https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en
https://authenticator.cc/docs/en/overview

https://chrome.google.com/webstore/detail/authenticator-app/pnbabdldpneocemigmicebglmmfcjccm
https://authenticator.2stable.com

 

2FA with the same machine is not clever. think again about 2FA.

 

It's not a good idea in case you have malware that's capable to intercept both password and 2FA code directly from the browser. However, on smartphones you don't have 2FA at all with most apps, unless you make use of YubiKey or something like that. So if you can make sure there is no malware on the system, it's not a big issue.

 

Have you used either of these? I tried the second one and couldn't figure out how to get it working.

 

+1
I miss lile feature on this forum sometimes.

 

to mention that yubikey is a hard coded different and not fakeable usb device.
ofc it is possible to ran a virtual android on the same machine but i wont recommend this.
any 2FA here is tied to my smartphone for reason. all the way long i had no trouble or hacked account but 2FA is mandatory for some services here.

 

No, I haven't checked them out yet, and I'm trying to figure out how 2FA directly via the browser works. I suppose it isn't any different than the Authy desktop app which was released back in 2014. And the app from 2stable.com doesn't support Windows yet, and I'm also not sure if it works without a smartphone, which would make it less interesting to me.

Haven't got a clue what you mean with lile? And Authy has already addressed this concern, they make a good point that if you have some info stealer on your system, this malware can simply steal your cookies which will also bypass the 2FA system. This is what happened with the recent LastPass and CircleCi hacks.

https://authy.com/blog/introducing-authy-for-your-personal-computer/
https://authy.com/blog/new-authy-desktop-beta-available-for-macos-and-windows/

I didn't quite understand you. But what I'm saying is that if you login to apps on your smartphone, there is no 2FA either, unless you make use a hardware security key, which is the second device. So how come this is only a problem for you guys on PC's?

 

This one also seems to be interesting, at least when it comes to the ''less is more'' principle. But of course trust also plays a role. So now that I think about it, I wonder if something like this could be integrated into browsers like Vivaldi?

https://github.com/hoishing/mini-authenticator
https://chrome.google.com/webstore/...tor/nmhjblhloefhbhgbfkdgdpjabaocnhha?hl=en-US

 

Another one is 2FAS, but I don't know if you still need to use your smartphone in order to make it work.

https://2fas.com/browser-extension/
https://2fas.com

 

BTW, I just found out that Safari in macOS has apparently already added a built-in 2FA authenticator two years ago, pretty cool. Would like to see this in other browsers as well.

https://www.zdnet.com/article/how-to-use-safaris-built-in-2fa-code-generator-and-why-you-should/

 

The browser is the most vulnerable and targeted piece of software on PC, I would never use it for 2FA. I use 2fast on desktop as 2FA backup, it relies on windows permissions, it uses windows hello and it prevents screenshots.

 

OK cool, didn't know about 2fast. And I know what you mean, but keep in mind that a built-in feature is not the same as using some extension. And as long as your browser is protected, you should have no major problems. Don't forget that any infostealer that can hijack cookies can probably bypass 2FA anyway, no matter if a hardware key, desktop app or smartphone is used.

https://github.com/2fast-team/2fast

 

I haven't heard of 2fast. Can you post a link to a download page?

 

and in case windows is compromised or defective such solutions aint nothing. no windows, no 2FA, lost in space. 2FA is more than verification, its also for recovering, or to gain back access.

 

No correct, you need to have a back up of the secret codes or at least a second method of authenticating yourself. With a browser, your secret codes could also be synced to other devices, which means it's stored in the cloud. Or you could just simply make a back up (cloud or external drive) of the secret codes file on disk, that's what I have done with 2FA desktop apps.

Have you blocked me Victek? I also posted a link to 2fast.

 

That is the reason people should have a backup of 2FA verification (+backup codes) as well and not to rely on a single app. Databases (online/offline) can get corrupted or hacked.
Aside from 2fast I also use MS authenticator, sadly it can not be synced to multiple devices, but that is sort of an advantage, if sync gets corrupted, an offline version will work.

 

by purpose, otherwise anyone can clone data and have access when hijacked. each secondary device need to be verified itself.

 

Funny, 3rd party apps have no problems with it only MS, ALLWAYS MS, so much for backups, yet when it comes to passkeys MS ignores security completely, it is your device it is 100% you, because you say so.

 

But wait a minute, you can't use 2 authenticators for the same website right?

 

You sure can.

If the website supports it, you can add multiple ones, each with their own "shared secret", but if the website does not support it, you can still use the single "shared secret" in all authenticators.

 

Just wait until 3FA is a thing...
What is Three-Factor Authentication? | Definition from TechTarget

 

The webpage only provides the code, you can use it in as many authenticators as you want, either manually or by scanning qr code.

 

Yes, but such a backup is also a liability: if hacked, 2FA is no longer a thing. Such a backup must be extra secure from any digital intrusion, and as such kept separately from main backup. Maybe printing QR code on paper isn't that bad of an idea? Especially for second factor, provided first factor is not printed

 

OK I see, so basically if you import the secret code into some other 2FA app (mobile or desktop) it should still work, didn't think about this. BTW, I am planning to add a YubiKey to protect my Gmail and Yahoo Mail accounts but what I noticed is that Yahoo Mail only allows you to register one key, so you can't make a back up key, quite weird. So hopefully they will also allow you to keep logging in with 2FA OTP's as a back up.