[remram]

Like most of the services popping up around 2FA, now that 2FA is popular: this essentially removes one of the factors.

Whether you're making one of the factors available to everyone on Slack, or putting it next to the password in LastPass, the result is the same, you delete the security benefits of 2FA.

[tedk-42]

Most people have their phone as a 2FA device, but they will login to websites/services on their phone anyway. Would you suggest preventing logins from phones?

The REAL benefit of TOTP is that it's time sensitive. If someone does have your password and TOTP code over the wire, they cannot repeat the attack.

I think this service is fine, but as others have pointed our you're giving away for TOTP secret to a third party which makes them a very good target for attackers looking to score a pot of gold.

[bawolff]

> The REAL benefit of TOTP is that it's time sensitive. If someone does have your password and TOTP code over the wire, they cannot repeat the attack.

Instead they just have your session cookie, which probably doesn't expire for six months.

The real benefit of 2FA is unlike passwords, users cannot make stupid choices, like use the same one for multiple websites or the password "password". The User is usually the weakest link, 2FA reduces reliance on the user behaving appropriately.

[remram]

The factors are: something you know, something you own. Logging in from your phone doesn't break 2FA in any way, as long as you still enter a password.

Using a password manager on your phone turns it into just something you own.