This sort of defeats the idea of 2FA, doesn't it? If it's implemented as a software service on the same device, it's (well theoretically at least) hackable at the same time as the device itself. The 2 factors from 2FA are both accessible to an attacker at the same time, so you effectively have just a single factor auth.
It does, but there's actually a way to do this (ie. u2f without having to buy another device) in a safe way, by using the TPM available on most computers: https://github.com/psanford/tpm-fido
Unfortunately without additional hardware support it's hard to tie TPM FIDO to physical user presence, which means compromising the system doesn't give you access to the secrets but does let you sign as many challenges as you want without user involvement.
Realistically speaking if your machine is compromised it's effectively game over. If you're signing into services on a daily basis an attacker wouldn't have to wait long to piggy back off a legitimate request. The chances that you catch the compromise before that happens is slim.
By the way, I like that tpm-fido is using uhid instead of USB/IP, because USB/IP doesn't have any security and authentication. At least we can restrict what user can create uhid host process etc.
It's still a second factor, just one that isn't as isolated as separate physical hardware. It's certainly more secure than a single password, while still giving the user absolute control over it.
I can see this being very useful for accounts which are effectively throwaway, but they still force you to 2FA. The same is true of TOTP generators.
By that, totp isn't a second factor either.. it's something you know.
If it's something you have, that would be the same with passwords.. I don't know them..
It depends on how you use passwords and TOTP. I think the expectation is that busy people have a generator on their phone so it is know your password and have your phone.
Of course if you are like me and keep your TOTP secret in your password manager than it is basically the same factor as a password.
TOTP is a second factor because you can't store it in your mind (and therefore it's not something you know, but something you have to have). You could defeat that using this virtual FIDO project or by storing the secret in readable format in a password manager that itself can be unlocked with your knowledge, but if we're just trying to find ways to use factors in a way that makes them useless, you can also just store them in a pastebin, it's free and all you need on any computer is to just visit your paste url!
I store both passwords and 2FA in an automated software. 2FA seeds can be exported (eg. when moving to a new phone).
the categorization makes some minimal sense, but basically any additional not-identical "factor" is additional security (though there's obviously a diminishing return because of the complexity-vs-security trade off).
> I store both passwords and 2FA in an automated software.
This effectively reduces the 2nd factor to the first, and indeed produces the diminishing return. It's sufficient to hack one system using one method and you compromise both defenses.
The point behind 2nd factor is to provide a second, *independent* layer of protection that would need to be compromised using an entirely different attack.
In the case of the FIDO2 dongles including the Yubikeys the secret isn't even stored on your system, but on the device itself that doesn't even disclose it to your connected system.
The e-mail thing is a bit silly; sure, if someone leaks your password you're safe but if your device is compromised there is good chance attacker have access to your e-mail too
Actually if your PC is compromised, then bad guy can exploit even hardware Yubi, because Yubikey lacks any screen, only button.
Adversary can intercept your login in MITM style, authorize themselves on other machine, just using your machine as proxy, and website you tried to login to would just display error "can't authenticate, try again".
And thangs to fact that key lacks display, attacker can event authenticate to different site, than you are authenticating now.
Trezor is way better device here:
> Phishing protection with on-screen verification. Trezor always displays the URL of the website the user wants to log in to, and what exactly is going to be authorized; therefore it is possible to verify that what was sent to the device is what is expected.
I'm a little confused here, but I thought 2fa was a combination of something I know (A password) and something I have (A authenticator). So a attacker getting access to your computer is same as them getting access to your authenticator?
Or do you mean that this leaves the secrets vulnerable to spyware and stuff? Cause in that case as the other comment says, one could use the TPM.
A good example here is 1Password, which stores passwords and also allows storing TOTP.
Which means the something I know is stored in the same places as something I have. Granted it is protected by encryption, and another password, but it definitely increases the attack surface.
If the computer is compromised it becomes much more possible to get access to both of these items than if it was a security key, physical authenticator or even on a different device.
Partially, but this still blocks many attacks that password alone wouldn't.
I always think of 2FA as insurance against password theft/leaks. If users don't practice good password practices and use the same password for multiple accounts, for example, when ${next web site to be hacked} leaks all plaintext passwords, you can't just turn around and use that password to access ${another site where I used the same password but have 2FA enabled}. Or I'm logging in to a site from someone else's computer and they have a keylogger. [Obviously this virtual 2FA device wouldn't let me log in in that scenario--but in general, this is another case where the 2FA doesn't have to be rock solid, it just needs to exist if you captured my keystrokes.]
A direct attack on my workstation to steal my virtual 2FA device and my passwords isn't protected by this virtual 2FA device, but that's low in my list of worries overall for people's account security.
To reiterate after giving it a bit more thought, this actually could be very useful if combined with fingerprint or facial detection as approval method - a bit like what Apple is now doing with passkeys, but will work with many more services out-of-box...
