You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to start a discussion regarding the security architecture of having a web interface that allows access to 2FA/TOTP codes.
Currently, the service allows users to access their codes via the official website using standard credentials (and potentially 2FA to get in). While I understand the convenience—syncing across smartphones, tablets, PCs, and sharing access with family members or colleagues—I believe allowing browser-based access to the actual codes creates a significant security vulnerability that defeats the purpose of 2FA.
The Risk of Session Hijacking
I am raising this point due to a recent personal experience. I was the victim of a session hijacking attack caused by a compromised browser extension. The attackers stole my session cookies and bypassed passwords and 2FA on several major platforms (including Amazon).
If the 2FA application itself is accessible via a web browser, it becomes susceptible to the same attack vectors (cookie theft/session hijacking). If an attacker gains access to the web vault via a stolen session, they instantly possess both the user's passwords (if stored there) and the 2FA codes protecting other accounts.
Redundancy vs. Accessibility
Given that we already have:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone,
I would like to start a discussion regarding the security architecture of having a web interface that allows access to 2FA/TOTP codes.
Currently, the service allows users to access their codes via the official website using standard credentials (and potentially 2FA to get in). While I understand the convenience—syncing across smartphones, tablets, PCs, and sharing access with family members or colleagues—I believe allowing browser-based access to the actual codes creates a significant security vulnerability that defeats the purpose of 2FA.
The Risk of Session Hijacking
I am raising this point due to a recent personal experience. I was the victim of a session hijacking attack caused by a compromised browser extension. The attackers stole my session cookies and bypassed passwords and 2FA on several major platforms (including Amazon).
If the 2FA application itself is accessible via a web browser, it becomes susceptible to the same attack vectors (cookie theft/session hijacking). If an attacker gains access to the web vault via a stolen session, they instantly possess both the user's passwords (if stored there) and the 2FA codes protecting other accounts.
Redundancy vs. Accessibility
Given that we already have:
Multi-device sync (phones, tablets, desktop apps).
Local and Cloud backups.
The ability to share vaults/codes with trusted individuals (family, team).
Security key support.
Is there a genuine need to expose the codes directly in a web browser?
Proposal
I suggest we prioritize "Maximum Security" over "Maximum Convenience" for the web interface. Perhaps we should consider:
Removing the ability to view TOTP codes via the web interface entirely (allowing only account management).
Or, making web-access to codes an "opt-in" feature that is disabled by default.
Or, requiring a physical hardware key (WebAuthn/FIDO2) interaction for every session to decrypt the web vault, preventing simple cookie theft attacks.
I’d love to hear the community's thoughts on this.
Gio
Beta Was this translation helpful? Give feedback.
All reactions