Under WebAuthn you can have 2FA despite only one authentication flowing from your authenticator to the web site. Nice smartphones (say, a modern Pixel or an iPhone) with fingerprint readers, have as the two factors your fingerprint (something you are) and the phone itself (something you have). The phone signs your authentication, the private information (your fingerprint) never leaves the phone, it just warrants that it checked it (UV bitflag in the signed data)
Or say you have a FIDO 2 Security Key from Yubico. As well as the features of the cheaper FIDO 1 Security Key products, this has a PIN verifier. The PIN is something you know, while the Security Key itself is something you have, so that's two factors, once again the UV bitflag is signed.
It's simpler, it's easier, it's more secure. And yet, right now I bet an HN reader is implementing yet another shitty SMS-as-2FA hack and we're still in a thread about remote authenticating with passwords - an idea that was already terrible in the 1970s.
I mean yeah, if you use 2FA and both phone and computer are just one factor on their own, then a compromised phone does not matter. So my question is, how about the mentioned scenario - to me it seems that just compromising the phone would compromise the whole, but maybe I misunderstood.
> You still need 2FA and the 2FA absolutely should NOT be a part of your password manager. Use a different app at the very least.
Recommended if storing 2FA codes in a password manager is to use 2FA for the password manager that isn't stored in the password manager. Off the top of my head, that doesn't seem to really open up any additional risks over storing 2FA passwords outside of the password manager.
Personally, it's a matter of practicality - I use my phone for personal 2FA codes, but don't have a work-provided phone and am not going to use my personal phone for work purposes - and as many services now require 2FA, it's easiest to store those 2FA codes in my work-provided password manager.
Or say you have a FIDO 2 Security Key from Yubico. As well as the features of the cheaper FIDO 1 Security Key products, this has a PIN verifier. The PIN is something you know, while the Security Key itself is something you have, so that's two factors, once again the UV bitflag is signed.
It's simpler, it's easier, it's more secure. And yet, right now I bet an HN reader is implementing yet another shitty SMS-as-2FA hack and we're still in a thread about remote authenticating with passwords - an idea that was already terrible in the 1970s.