Show HN: Faktor – The missing 2FA code autocomplete for Chrome
getfaktor.comHi everyone, Kenneth here. As a loyal Chrome user, I was frustrated that one of Apple's most loved features from Safari and iOS wasn't available in Chrome. So, I built Faktor—a tool that grabs 2FA security codes from your iPhone and autofills them in Google Chrome on your Mac.
Faktor is a native macOS app with a small Chrome extension, and once you install Faktor its easy to forget that this functionality isn't native to Chrome.
Enjoy!
Congrats on launching and building something. Unfortunately I think this is very bad for security. We have seen numerous accounts take overs from iMessage and sms based 2fa. This makes it even easier. I also don’t understand why password managers are starting to support storing totp. It is a terrible idea.
My view is that totp/2FA prevents someone with only your password from logging in.
Having the totp seed inside a password manager doesn't break this goal, so I'm fine with it.
Of course it means if my password manager gets hacked, there's everything to log in inside, but I'm more concerned about services leaking password hashes that get broken, or accidentally getting phished (and giving up a password + totp combo that can only be used once) instead of my password manager being hacked.
I just went round and round with my bank about needing my phone number so they can text me a TOTP. You know, for security. They just can't quite seem to wrap their head around how having the same device running their banking app that also receives the text is not secure when the device is no longer in your possession.
Doesn't the attacker still need to know the password to the banking account, or the master password to the password manager? That'd be the second factor.
Besides being able to unlock the phone in the first place obviously.
I only switched to a device with FaceID recently, so I haven't seen how often false positives are in the wild. I still have devices with ThumbID, and I can get into my tablet with rubber gloves without any issues. As far as just a password, if you're using a password manager also located on the phone... There's also people that just don't enable any of that kind of thing on their apps. So we're still fighting those fights. I'm the type that wishes every single app required authentication though.
If they're texting you it, it's almost certainly not TOTP.
Their words, not mine. I probably should have put it in quotes
Huh, TOTP and HOTP are pretty technical terms, and I generally don't hear them in places meant for general consumers to read (e.g. even Google Authenticator, which does TOTP and HOTP, doesn't say TOTP or HOTP). The general term, OTP is much more common, and is accurate for SMS.
Soooo, now you're arguing with me about what the person on the phone said? Where does that take the conversation?
I'm not trying to argue. I'm just saying that it's strange.
Sounds like one factor auth with 2 passwords
Its called two step verification. Prevents someone from “guessing” the password but doesn’t stop someone who has physical access to the device with the password stored. Same as with e-mail or SMS codes, basically. I don’t think i recall any websites that detect i am using my phone and rely on a true “second factor” aside from enterprise applications where i got a hardware yubi key.
It is called 2 factor or multi-factor authentication. It should be something you know (password) and something you have (device). Storing totp with your password defeats the entire point of it.
> I also don’t understand why password managers are starting to support storing totp.
1Password's had this for many years now. In a perfect world with users who followed the rules perfectly every time, a separate TOTP gadget is clearly better. In this world, a slightly less secure TOTP system that's convenient enough that regular people actually use it is vastly better than a perfect system that gets worked around.
Analogy: NIST says to stop requiring periodic password rotations. In dreamland, users would use their password manager to create a new, ultra-strong, unique password every time. In reality, people tired of the rotation treadmill go from `SecurePassword!202406` to `SecurePassword!202407`.
As a component, a separate TOTP generator is better. As a system, an integrated one is more useful.
I'm 200% in favor of exposing how bad SMS is until companies stop using it and start supporting hardware keys.
It turns out that security at the expense of usability is at the expense of security.
The website uses "Enter your 6-digit authentication code" as an example and then shows a 4-digit auth code in the text field https://imgur.com/a/u4STHPe
> One-time payment A license for Faktor is one-time purchase that gives you a life-time license.
While nice for users, this funding model kills anything bigger than a 1 man project in todays world.
Turns out users pay one-time but software developers prefer their salary not to be paid one-time.
This does look like something a single developer could pull off though?
If your 2FA code is as autocompletable as your password, is it really a second factor?
I personally don't think so. It's something you know + something you have with you.
If your computer is compromised, the 2FA should be somewhere else, not in a keychain.
This is why I like Yubikey and other forms of 2FA (phone based TOTP, mostly).
Yes — because 2FA is commonly stored on a separate device (phone), people are very quick to conclude that it is pointless otherwise without thinking further.
Even if it is stored in your password manager, it is still useful. Consider the case where your network or website is compromised: the password is compromised and can be reused, but the totp 2fa that is in your password manager still prevents login by anyone who obtained your password. There are many attack scenarios but storing 2fa and enabling autocomplete definitely does not make it useless.
Also I'm sick and tired of every business thinking that a phone has to be the second factor.
A laptop, or even better, a large, immobile desktop PC, is a much better second factor than a phone, and there is no reason why a user should be forced to go find their phone when they have console access to a much larger device.
Putting a Yubikey semi-permanently on every device and having you do a one-time registration of each device (initially using another already-registered device) should be the default way of implementing 2FA.
But what if it is an app on the phone that is asking for that 2FA which then receives that 2FA via text?
2FA code (rng seed) can be stored to password managers directly as well.
It is access requirement for something else, which fulfills the criteria of 2FA.
In this case, there is requirement to access the browser and phone.
But if you have it in the PW manager, isn’t it moot?
I guess it’s still safe against leaking of your password only.
Yes, you're completely right.
It depends on your threat model vs usability/ease of use.
OK, so it's a passkey for sites that don't support passkeys. I'm fine with that.
Possibly. But this appears to be for SMS-based 2 factor, so you'll need your phone nearby.
I'm glad to see someone making this for Chrome. I really like how Safari does it. It can check mail and messages, then delete the message after verifying. One of the reasons why I am finding it difficult to switch from safari.
Broken websites aren't enough of a reason to switch?
I use Safari almost exclusively for all desktop browsing, and haven't seen fully broken or even mildly broken websites in years.
I think what helps a lot is that if it's broken in Safari on macOS (not a big deal for the business), it would also be broken in Safari on iOS (which would be a disaster).
Never seen a broken website on safari. Like others mentioned anything specific?
which websites are broken? I'm not seeing them
Most of my experience with broken sites are from media extensions for javascript that just are not available to anything other than Chrome. These may be niche, but that is my world. I don't use Chrome, so I'm kind of used to seeing these. Again, these may not be in the wild on sites with large visitor counts, but I have had to decide on not using certain things because they are not available in Safari/Firefox.
Very cool! Will you also add support for secret based 2FA codes, similar to Authy / Google Authenticator? It would be incredible to have those autofill.
1Password already has support for this. Some would argue that you're defeating the purpose of 2FA if it's stored in the same way as your password, but it is pleasant.
Personally, I use KeePass and a self-managed password database. I look at it as the "something I have" factor being the database file itself, and the "something I know" being the master password that decrypts it. Then it doesn't bother me quite so much that the password and 2FA seed are right next to each other.
Does 1Password do SMS based 2FA code filling? I use it for sites where they let me use any compliant auth app, but I've not seen a way to get it to work for SMS codes.
No, only passkeys or TOTP stored in 1Password.
KeePass XC also does it.
Isn't there a problem that if your computer gets hacked, the attacker will be able to bypass 2FA?
I don't use mac right now, but this looks nice.
Why not bitwarden?
I use both Bitwarden (Personal, recommended by a friend, paid for a year in advance) and 1Pass (Paid by my company).
The level of friction Bitwarden adds as compared to 1Pass is staggering.
Also, their Firefox extension eats resources like a new baby (I had to disable it because just a handful of tabs [1] were killing my machine).
[1] May be a little more than a handful, but having to disable an extension so that your machine behaves normally is telling.
The lengths that people will go to in order to avoid using Safari
Chrome also doesn’t support password autofill, sadly.
[flagged]
Looks really nice. This product video has Kite (https://kite.video/) vibes to it, pretty solid.