My impression is that “hosted” is common parlance for programs that present as web applications, rather than typical executables. A web application is naturally capable of “leaving the laptop” so to speak, which is often one of the benefits/intents of the program design.
Ok, except that the secret is the TOTP generator. Anyone that has the secret can generate any TOTP for any point in time, and own your 2FA. An attacker needs nothing else. So if the secrets are stored online - ever - it's nullifying the "offline" claim.
Does anyone know a 2FA app that only stores secrets offline? Eg without any networking code; as it's not only not required, but IMO is required NOT to be there for it to actually functionally be "two-factor authentication", and therefore locally-isolated.
iCloud is the worst choice of a place to store them as it's the same place the other factor may be routinely saved / backed-up, especially if "across devices".
You’re not wrong, a hardware keychain gizmo with a camera for scanning QRs would be the ultimate actually-secure 2FA device (at least against remote attackers). Personally though I view standards-based 2FA more as a tool to reclaim my login abilities from the insane zoo of “let us email or text you a code” confirmations various sites force on you because they assume you must use a stupid and reused password so that’s not enough now.
When I store my passwords and their 2FA secrets in my KeePass db, I’m arrogantly taking for granted that I won’t ever leak my whole secrets database, which is a risk I’m willing to take because I know what I’m doing (and don’t have any secrets valuable to state-level actors). I appreciate having the option to make this call so I don’t have to drop in to my email just to log into frigging Patreon.
iirc the location of the mud is secret, and there is some question of legality due to it not being private land(?). it may be difficult to source a vast quantity of magic mud for public sale/charity/marketing.
many (most?) red squiggles are autofixable with eslint. I use eslint exactly like prettier, in that I never think
about formatting and everything gets fixed/formatted on save.
Many are, but some of the "errors" are not helpful while code is in progress. Why do I need to see them while typing if they can be easily auto-fixed later? It's just more useless visual clutter to worry about.
> then it might be pretty fiddly for someone to clone that repo and get it running locally
with node + TS, it is straightforward (and common) to generate JS output at publish time for distribution. then, using the CLI tool or whatever is only a `npm install -g <pkg>` away, no extra steps.
sure it's not a single binary, but I'd argue _most_ users of a general CLI utility don't necessarily care about this.
