There is indeed a whole lot of problems with security and we don't have consensus on a nice/minimum setup. My main concern right now is the physical access to hardware (my place is far from being a vault). Finding my address would not be that big of an issue then getting in would be very easy.
For now having backups in multiple places is the best for me, having physical keys is not solving any on my security concern. The good part is no one cares about my stuff so for now this is OK.
If your computer is compromised whatever token/cookie you will get from the authentication will be also compromised.
Assuming the computer is compromised also open a lot more issues, privilege escalation can be done in a lot of ways depending of what is being installed (even sudo was hit by such issues https://www.cve.org/CVERecord?id=CVE-2021-3156 )
This is were the manifest/permission is important. I cannot emphasize enough that I had to code this myself because, at the time, nothing else would be OK with me. This was because of 1- way too big of a code base, 2- way too many permissions.
It is indeed a problem that extensions are not as well maintained as Linux distribution packages but in this specific instance the extension has no right to read any information nor send requests to any server.
If you have any concern I would gladly hear technical insight about the threat model involved. The cross-post on the Privacy communities sparked more conversation if you want to follow up on that point : https://lemmy.ml/post/12744864.
Extension "authenticator" has been around for more than a decade now. I am sharing something that is small, simple, auditable and secure (no permission to do anything but past on clipboard).
There is an irony in password managers that stores your password but need a password (passphrase would be better). A password for your passwords. Fundamentally this is because the only secured space, only you can get in and no one else, is your own brain.
Most password leaks are usually caused by bad implementations on the server side. I have an authentication protocol to avoid many password leakages I'd like to share one day (double salt, one from client, one on server so password is never shared to the server).
Websites have no way to creep into your browser, extensions included. Usually it is the other way around. Such a leak would be catastrophic for the browser (thinks of all the password manager). At least here it is not even a password manager but only the TOTP so you still have your password as security (still this will never happen realistically).
Database is encrypted in the local storage of the extension. So far Firefox is secure enough so this is not accessible from outside (it is encrypted anyway). The encryption is using the crypto web API (native from web browser) to use PBKDF2 key. It is decrypted with your password so the database is in RAM (not saved anywhere unencrypted) as long as the browser is open or you click to "logout".
You can export/import all the entries with a simple JSON format (for now, simple "name"+"secret" for each entry). You should encrypt this export file or save it in a encrypted volume yourself.
Thank you for your constructive comment.
Indeed many people thinks 2FA as 2 devices. I am not sure where that came from and what specifically make people think that way. Despite all my research and experience using 2 devices solve no specific security problem. I think there is a whole topic to be argued on this (should I make a blog post on this?).
As for me I have Aegis on my smartphone (really perfect nothing to say). But I have many unwanted/unnecessary 2FA to go through every day (for the last 3 years). I am cleaning my cookie/connection every time I close my web browser and I am not keeping my computer on all the time. Therefore those 2FA needs to be done a lot (I mean at least 3 time a day). I do not interact much with my smartphone, also this is the least secure device I own so web browser extension is an OK way. I used to have a python script I could have run from one of my IoT through ssh. So far I don't see any vector of attack this would prevent compared to browser extension.
I see hundreds of thousands of users using other extensions that I wouldn't run on my system and I am sharing a better solution, nothing perfect, nothing that requires mass adoption.
Well this is 600 lines of code, if you cannot audit that you can indeed ignore it for now. Once again this is the only auditable code out there and not asking for unrelated permissions.
Next part is going to be security and some storage off-loading on memory (mostly avoiding logs on storage). Then probably a part 3 on server stack (nginx/apache) and network.
I never encounter this CG/NAT, I'm wondering how it goes with online game for instance (wouldn't it be a no-go for many casual users?). I have set-up once a VPN as a reverse-proxy, buying the lowest tiers of VPS (Virtual Private Server) as it would had a public IP to use and just forward everything to the server (which was in a shared space so kind of the same as CG/NAT). This is not 100% host but at least the VPS is just a gateway and doesn't hold anything and is easily replaceable.
Sorry I had in mind you login in from a computer that was compromised (without your knowledge), I didn't had in mind a computer compromised without being in use.
EDIT : store your 2FA in the browser from the extension would not be 'like an idiot' as it is encrypted.
EDIT 2 : no forget everything, this whole situation is absurd. If your computer is compromised your password are not (do you store in clear text?!). If you use it to login you are owned already.