[pliu]

This is neat, but I feel a bit conflicted about it. Authenticate to phone, phone authenticates to website.

Certainly less laborious than entering a password, then authenticating to your phone so you can copy a token code. But I feel like my login would then become simultaneously more and less secure.

More secure from remote attackers who would have to spend a lot of effort to get at my phone, but like waaaayyyy more vulnerable to local attackers who could super easily get at my phone. Breaking the screenlock on my phone is surely easier than breaking a complex password.

I'm definitely an edge case in that I have a very high level of security for my personal stuff, but I've always modelled my security strategy on the fact that anyone can easily wack me on head and jack all my shit. You could put password auth on your phone, but from a UX perspective this is awful. I'd rather just have no phone.

So, conflicted. This feature sounds great, but feels less good than "normal" MFA. Maybe I'm being crazy and it's all just fine. I accept than my credit card number will somehow become compromised in the future, maybe we all just have to accept a little identity theft in our lives too.