|
|
|
|
|
|
by acdha
1430 days ago
|
|
|
This is why you need to start with a threat model. For example, if your concern is password reuse or weak passwords simply using a password manager to have unique per-site passwords solves that problem for almost anyone. If your concern is phishing, storing the code on the device (especially on a modern phone) is really moot since all forms of one-time codes are vulnerable — you should be working on how to switch to FIDO2/WebAuthn. If your concern is a temporary exploit of the user's browser, using an out-of-process password manager is likely to prevent exfiltration of the entire password list but in practice this is already probably a disaster scenario unless you're using sites which require a strong FIDO2 challenge for sensitive operations since the attacker already has your cookies for everything you use regularly. |
|
|