[henryfjordan]

It depends on your threat model.

You pair your phone and browser and then they can talk. Any time you want to log in through that browser it can talk to your phone and auth you automatically. For someone to exploit this, they'd need access to the computer with your browser.

So if your laptop gets stolen, yes this is a bad idea, but I think most people think that they can just revoke the browser's keys if if the laptop gets stolen and they are way more likely to have their phone stolen anyway.

[jonafato]

I was more thinking of malware / some otherwise rogue process. This seems like something that's worth having in the world of fake support remote desktop scams.

[ReverseCold]

That's so easy to bypass.

1. Wait for user to sign in. 2. Intercept their sign in. 3. User: "Oh, it didn't work. I'll just try again." 4. User tries again and it works. Attacker is also logged in now.

Alternatively, at that point you could just inject JS into whatever website needed 2FA and do everything without the user noticing anything.

[ztjio]

It wouldn't matter if they had their laptop stolen unless they also had their phone stolen. The keys are on the phone. Any new auth attempt would require the phone in proximity of the laptop. It connects via Bluetooth, not over the internet.