[ElectronShak]

Very interesting, and certainly hard to catch, even for technical users. Maybe it is things like this where google is justified for "forcing" 2FA on us. Lowers, although minimally, the effectiveness of auth credential attacks.

[jcynix]

You cannot move the fake window out of its parent, but you can do this with a proper popup window. So it can be "catched" but this is (at least) inconvenient and easy to forget.

As is 2FA, e.g. when I'm using a tablet in bed and the smartphone for the 2nd factor is on the table in the living room ... I'd like to see 2FA devices which could be easily duplicated, just as physical keys can.

[djrogers]

> I'd like to see 2FA devices which could be easily duplicated, just as physical keys can.

Many can - what phone based 2fa are you using that can’t sync to your iPad?

[jcynix]

OK. I was in bed already when writing this, so didn't properly describe the features of physical keys I value. And, btw, most of the time it's a lightweight laptop, not a tablet. "Tablet" was a "placeholder" for just any other mobile reading device.

While I could duplicate 2FA credentials onto another device, even onto my wife's device (if needed, e.g. for online banking), the attractive feature of a _physical_ key is that I can control the number of copies and "revoke" one after handing it over for a short time and then recollect the device again. That's not as easy with virtual "keys" like authentication apps.

At work, we use smartcards to store credentials (i.e. X.509 certificates). And you are allowed to get a second and even third card, if needed. So I can have one in the office, and one at home. All are protected by their respective PINs. And we do have bluetooth based card readers for smartphones. That (possibly miniaturized like a yubikey) is my preferred model of a "physical" device to use as a key.