Anyone else thinks this is a really really bad idea?
– Fishing attack prevention is a sham. It’s going to work for as long as attackers are not aware that someone’s running Authy. After that, there is nothing that stops the attacker from opening the whitelisted URL in a different tab in addition to the phishing one.
– Saying that Authy for PC is "no worse" than using a separate device because of session tokens is misleading. Many websites reject session tokens when a user is logging in from a new location/IP, which is why 2FA is there in the first place.
– Above all, 2FA enables precise audit. This is no longer possible with such automation. Malware that gets access to a computer can copy Authy installation to its servers, and then fully erase itself from being detected. It can then access user’s data months after the time of the attack, completely undetected.
– Using bluetooth to automatically connect with the phone is equally bad. Part of idea behind 2FA is that the machine that the user is operating is considered compromised until (or even after) it is authenticated. Allowing bluetooth connection directly into phone from a machine like that compromises security.
It's worth noting that private ssh keys work without 2FA and all password logins are required to use 2FA. That's the security policy I was looking for.
Setting up pam_url+totpcgi is bit involved, and it doesn't come prepackaged for Debian. But it certainly shouldn't be insurmountable. Here is link to their installation guide:
that stuff only protects from server side secrets compromise. i dont know but if im using something inconvenient like 2FA, i want it to protect my credentials client-side too.
– Fishing attack prevention is a sham. It’s going to work for as long as attackers are not aware that someone’s running Authy. After that, there is nothing that stops the attacker from opening the whitelisted URL in a different tab in addition to the phishing one.
– Saying that Authy for PC is "no worse" than using a separate device because of session tokens is misleading. Many websites reject session tokens when a user is logging in from a new location/IP, which is why 2FA is there in the first place.
– Above all, 2FA enables precise audit. This is no longer possible with such automation. Malware that gets access to a computer can copy Authy installation to its servers, and then fully erase itself from being detected. It can then access user’s data months after the time of the attack, completely undetected.
– Using bluetooth to automatically connect with the phone is equally bad. Part of idea behind 2FA is that the machine that the user is operating is considered compromised until (or even after) it is authenticated. Allowing bluetooth connection directly into phone from a machine like that compromises security.