Vivaldi with built-in 2FA authenticator?
-
@far4 said in Vivaldi with built-in 2FA authenticator?:
@RasheedHolland
It means putting all your eggs in one basket... and with recovery codes also? Yes? So we can be sure to have everything in one place. I strongly disagree. Ideally, 2FA codes should even be generated on a separate device (e.g., an old J2me-enabled cell phone will do). Keeping all secrets in one program is a sure way to lose them.Yes, but that's why it's optional. So people who prefer to use a 2FA app on smartphone or desktop can still do so. For people who believe that their system is protected pretty well, this built-in 2FA option would be nice. And I bet it would also stimulate more people to use 2FA in the first place, because right now it's often a hassle. And besides, on a smartphone everything is also in one basket if you think about it.
-
Well yeah like I told the other guy they don't integrate with Google at all. So unless they use like authy or something or invent their own it will never happen
-
@mikeyb2001 said in Vivaldi with built-in 2FA authenticator?:
Well yeah like I told the other guy they don't integrate with Google at all. So unless they use like authy or something or invent their own it will never happen.
Not sure what you mean with this? Normally speaking, websites support TOTP, which is supported by Google and Microsoft Authenticator and Authy of course. In other words, Vivaldi's built-in 2FA authenticator would work the same as these apps.
-
@RasheedHolland
It's called "don't tempt your neighbor with easy solutions." Almost a bible.
How many people do you think would be tempted by this opportunity if it were done? More than half... or more than 75%... or more? I'm kidding, but there's a smart grain in every joke.A separate program on smart is at least some protection. It can be passworded to run, access to information can be separately passworded - as in the case of keepassdx.
-
@far4 said in Vivaldi with built-in 2FA authenticator?:
@RasheedHolland
A separate program on smart is at least some protection. It can be passworded to run, access to information can be separately passworded - as in the case of keepassdx.What I noticed is that on smartphones security is very weak, many apps often don't even ask for 2FA codes after first usage! On a PC, websites most of the time ask for the 2FA code each and every time, like it's supposed to do. Unless you stay logged in of course.
But I don't see how built-in 2FA is way less secure then using some other desktop 2FA app. Because in case you have an infostealer on your system, you're probably toast. Unless the browser profile is protected from access against untrusted apps. And 2FA secret codes should always be encrypted on disk and if possible in memory.
-
@RasheedHolland
As far as I understand, the principle of 2-step in user identification is important also because it should not work automatically. That is, the person entering the site should start the 2fa-generator himself, then select the desired item, then memorize the displayed number and manually enter it into the field on the site. Yes, many people like to copy, but the basic point remains: run, select, click copy/paste. If you implement 2fa in a browser it is tempting to completely automate the whole process. That's if you don't use paranoid mode with constant authorization confirmation.Next, you suggest encrypting 2fa secret-codes. At what point would we enter a password? Or even different passwords - for different sites, just to get 6 or 8 digits? At each access to 2fa? Or will we do with system-wide security, whoever is logged in has full access to the user profile encrypted by means of the file system? Do you realize how complicated it gets? It's much easier for developers not to deal with this whole topic, shifting it on the shoulders of other specialists. That's why the browser stores only passwords. It's too much responsibility and hassle to store everything.
ps At the same time, many people think that you don't need to store passwords in your browser either. It is better to use special managers - it is safer.
-
@far4 said in Vivaldi with built-in 2FA authenticator?:
@RasheedHolland
Do you realize how complicated it gets? It's much easier for developers not to deal with this whole topic, shifting it on the shoulders of other specialists. That's why the browser stores only passwords. It's too much responsibility and hassle to store everything.It isn't complicated at all. Like I said, it wouldn't work any different than the WinAuth and Protecc 2FA desktop apps, or like 1Password. As soon as you open the browser, it should ask you for a password to get access to the secret codes from all websites.
And whether it's less secure or not than other options is another discussion. Of course using a second device like smartphone or hardware security key is safer, but sometimes also less convenient, there is always a trade off between the two. But this built-in 2FA option (like in Safari on macOS) would be nice for people who know how to secure their PC's.
For example, I'm the only user of my desktop and laptop and use them only at home, so I'm not that worried about physical theft. I have also protected my PC with all kinds of extra security tools (behavior blockers) meant to protect the system in case an AV like Windows Defender fails to protect against malware.
-
Seems to me the 'ambassadors' here don't really understand what two-factor authentication support in a password manager (which Vivaldi de facto has) means. This article should make it easier to grasp: https://www.guidingtech.com/use-icloud-keychain-two-factor-authentication/. If the iCloud Passwords app for Windows, together with its Chrome extension (which actually works in Vivaldi), can have it, I suppose Vivaldi's built-in password manager can have it, too. Currently, I am using the aforementioned iCloud Passwords, for exactly this reason - that it supports 2FA. On iPhone, it makes even less sense to use Vivaldi's built-in password manager, since for some websites which use 2FA for login I would still need to be using a password manager that supports it. So, basically, the absence of 2FA support in Vivaldi makes its password manager a neat, but kinda useless feature.
-
@karolleon said in Vivaldi with built-in 2FA authenticator?:
two-factor authentication support in a password manager
The password manager is a Chromium core feature and when Chromium gets 2FA secured password manager then Vivaldi will inhertits it.
That's the fact. -
@DoctorG I see. Then, if there is no other way of introducing this feature, I guess it was me who did not understand.
-
@karolleon said in Vivaldi with built-in 2FA authenticator?:
I am using the aforementioned iCloud Passwords, for exactly this reason - that it supports 2FA. On iPhone, it makes even less sense to use Vivaldi's built-in password manager, since for some websites which use 2FA for login I would still need to be using a password manager that supports it. So, basically, the absence of 2FA support in Vivaldi makes its password manager a neat, but kinda useless feature.
I didn't know about the iCloud Passwords extension, I suppose it allows you to automatically fill in the 2FA codes? But I get what you're saying, for you as an Apple user it would be nice to have this feature too in Vivaldi.
https://chromewebstore.google.com/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj
-
@DoctorG said in Vivaldi with built-in 2FA authenticator?:
The password manager is a Chromium core feature and when Chromium gets 2FA secured password manager then Vivaldi will inhertits it. That's the fact.
@karolleon said in Vivaldi with built-in 2FA authenticator?:
@DoctorG I see. Then, if there is no other way of introducing this feature, I guess it was me who did not understand.
No you didn't misunderstand.
Vivaldi could either build a 2FA authenticator as a standalone feature, which works separately from Chromium's built-in password manager. Or they could build a completely new password manager with better encryption and 2FA support.
Popular password managers (Bitwarden, 1Password, RoboForm) all offer 2FA authenticators (not for free), but the problem is that those apps need to be running in memory all of the time, which costs RAM usage. And overall I didn't really like how they integrate with the browser, so that's why I still use Vivaldi's built-in password manager.
-
@RasheedHolland 2FA secured password manager is the similar to feature request masterpassword protected password manager.
-
@DoctorG said in Vivaldi with built-in 2FA authenticator?:
@RasheedHolland 2FA secured password manager is the similar to feature request masterpassword protected password manager.
No, you're misunderstanding, that's not exactly the same. That's simply to protect other users of your PC from getting access to your autofill passwords, see link. I would like to see a more secure password manager in Vivaldi, however even with the current one from Chromium, Vivaldi could still add a 2FA authenticator feature.
https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins
-
I understand 2FA like this; having 2FA can be
- for extra authentication with TOTP and hardware keys on a website
- unlock of a password before inserting it password field on a website
You want Point 1?
-
@DoctorG said in Vivaldi with built-in 2FA authenticator?:
I understand 2FA like this; having 2FA can be
- for extra authentication with TOTP and hardware keys on a website
- unlock of a password before inserting it password field on a website
You want Point 1?
Yes exactly. Of course we're then talking about TOTP, because hardware keys are already supported in Windows and Vivaldi. Sadly enough, many websites don't support hardware security keys. But most support TOTP, but having to use a separate 2FA app can become a bit of a hassle.
-
@RasheedHolland said in Vivaldi with built-in 2FA authenticator?:
I didn't know about the iCloud Passwords extension, I suppose it allows you to automatically fill in the 2FA codes?
Yup, exactly. It’s very handy. On Apple products, it’s integrated seamlessly, obviously. On Windows, it works on Chrome-based browsers, and, just like you wrote, it automatically generates and fills in the codes. Only thing is you need to first authorise the extension with a code generated by one of your Apple products. Which isn’t too big of a deal, since you only need to do it once per session.
But I get what you're saying, for you as an Apple user it would be nice to have this feature too in Vivaldi.
True. If Vivaldi’s password manager supported 2FA, I wouldn’t need to go through the extra step on Windows AND I wouldn’t have to deal with this clunky UI which on Vivaldi on iOS is a result of having two password managers active. When you compare how the UI looks and behaves on Safari and on Vivaldi, the former is so much more elegant.
https://chromewebstore.google.com/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj
That’s the one. I know it has a low rating, but I personally haven’t had any problems with the extension.
@RasheedHolland said in Vivaldi with built-in 2FA authenticator?:
No you didn't misunderstand.
Vivaldi could either build a 2FA authenticator as a standalone feature, which works separately from Chromium's built-in password manager. Or they could build a completely new password manager with better encryption and 2FA support.
+1 on this, then. It would be great to have it integrated into Vivaldi.
And overall I didn't really like how they integrate with the browser, so that's why I still use Vivaldi's built-in password manager.
Same here. I used to use Enpass (which, by the way, is free on Windows and only costs some money on mobile), but I prefer the iCloud Passwords experience.
-
@karolleon said in Vivaldi with built-in 2FA authenticator?:
Yup, exactly. It’s very handy. On Apple products, it’s integrated seamlessly, obviously. On Windows, it works on Chrome-based browsers, and, just like you wrote, it automatically generates and fills in the codes. Only thing is you need to first authorise the extension with a code generated by one of your Apple products. Which isn’t too big of a deal, since you only need to do it once per session.
To me it's indeed about convenience. At the moment I have chosen to trust my browser, which means that websites will not ask me for a 2FA code each and every time. But this is less secure, so if I was able to fill in the 2FA code with only one or two clicks, I would disable this ''trust this device'' feature. Currently I'm using a 2FA desktop authenticator app which works well, but is a bit of a hassle, it's just too many steps.
Same here. I used to use Enpass (which, by the way, is free on Windows and only costs some money on mobile), but I prefer the iCloud Passwords experience.
Yes, I have never liked it, I've tried Enpass and RoboForm, and perhaps they have been improved since then, but it was a hassle and didn't work out of the box. Besides this, they have to run in memory all of the time, and they need to communicate with the browser, which in theory is a security risk.
-
@karolleon said in Vivaldi with built-in 2FA authenticator?:
True. If Vivaldi’s password manager supported 2FA, I wouldn’t need to go through the extra step on Windows AND I wouldn’t have to deal with this clunky UI which on Vivaldi on iOS is a result of having two password managers active. When you compare how the UI looks and behaves on Safari and on Vivaldi, the former is so much more elegant.
BTW, I just discovered that Proton also has a password manager named Proton Pass, it's not a desktop app but an extension. But if I look at the features, this is exactly how I envision it should be implemented in Vivaldi.
-
We all know about the Vivaldi browser's capabilities in many ways. What I Don't understand is that why it seems complicated to add a 2fa feature just like the way "Proton Pass" does. Is it insurmountable for the developer team to deal with and add this feature to its already multifunctional abilities?
