[a2b]

Anyone else thinks this is a really really bad idea?

– Fishing attack prevention is a sham. It’s going to work for as long as attackers are not aware that someone’s running Authy. After that, there is nothing that stops the attacker from opening the whitelisted URL in a different tab in addition to the phishing one.

– Saying that Authy for PC is "no worse" than using a separate device because of session tokens is misleading. Many websites reject session tokens when a user is logging in from a new location/IP, which is why 2FA is there in the first place.

– Above all, 2FA enables precise audit. This is no longer possible with such automation. Malware that gets access to a computer can copy Authy installation to its servers, and then fully erase itself from being detected. It can then access user’s data months after the time of the attack, completely undetected.

– Using bluetooth to automatically connect with the phone is equally bad. Part of idea behind 2FA is that the machine that the user is operating is considered compromised until (or even after) it is authenticated. Allowing bluetooth connection directly into phone from a machine like that compromises security.