[luke-stanley]

You might say those are 2 factors, but when it's happily auto-filling passwords and MFA codes automatically, uhh, that's a lot of trust in computer built to run arbitrary code, let alone Javascript etc in a browser environment! Maybe it's 1.5 factor? It's not truly separate. To encourage people to do this with no warning is irresponsible. Variants of timing attacks that can result in arbitrary code execution come out often. Browsers have such a massive attack surface.

[shawnz]

Expecting users to remember individualized passwords and maintain separate authentication factors for every service is placing a lot of trust in the user! I think this is a case where it's reasonable to think that automation might actually lower the overall risk.

Furthermore I don't think maintaining individual factors for every service would protect you very much against a browser compromise.