[shawnz]

> Is it really multiple factor auth if you're using the same device for the password and automatically filling in the token?

Yes, the two factors are having the device with the password database on it, and knowing the unlock code for the database or being the biometrically identified owner

[luke-stanley]

You might say those are 2 factors, but when it's happily auto-filling passwords and MFA codes automatically, uhh, that's a lot of trust in computer built to run arbitrary code, let alone Javascript etc in a browser environment! Maybe it's 1.5 factor? It's not truly separate. To encourage people to do this with no warning is irresponsible. Variants of timing attacks that can result in arbitrary code execution come out often. Browsers have such a massive attack surface.

[shawnz]

Expecting users to remember individualized passwords and maintain separate authentication factors for every service is placing a lot of trust in the user! I think this is a case where it's reasonable to think that automation might actually lower the overall risk.

Furthermore I don't think maintaining individual factors for every service would protect you very much against a browser compromise.