Standalone MacOS App? about macos-receiver HOT 6 CLOSED

@tijme I understand your concern and see why storing the OTP seeds locally could be a problem, however would it be possible for a desktop client to read the OTP seeds from an iCloud backup therefor never needing to actually store the OTP seeds locally.

from macos-receiver.

I could not agree more. The only thing I miss is the mac app. I would even pay for it. That was the only reason why I used Authy before.

from macos-receiver.

Hi @itsmichaelyu and @igr,

Unfortunately this will not be implemented. The MacOS receiver was designed to only be able to receive tokens if you have access to a second-factor device (your iPhone). Having a password manager and a OTP manager with seeds on the same device would decrease the security level.

Hope you understand,
Tijme

from macos-receiver.

@tijme that's on user, how he is going to use app. Authy, 1Password... they all have the desktop code generator. If you follow the security topic, then you should hide all the codes (not to be visible in the app), as someone may see it.

No worries, I am not trying to make you change your mind :) I do understand.

from macos-receiver.

It's not only about hiding the codes. It's about having a password and a OTP seed stored in the same location. Meaning, if that location is breached (e.g. by malware on your computer), both the passwords and corresponding OTP seeds are breached. I've seen this too many times during red teaming engagements and therefore really don't want to implement it.

The current MacOS receiver app is not vulnerable for that kind of attack (at least not breaching all passwords and OTPs at the same time), as the OTPs are not stored in the MacOS app. Only a single one is send to your computer when you tapp it in the app, thus you are really in control.

from macos-receiver.

Or... you can just have the list of names&icons in the mac app; when you need OTP the macos app would send a notification to the ios device, the user will auth into the phone and press OK and the OTP is generated and pasted back. This way OTP is still generated on a different device, authed by user (as it is done by Google, JumpCloud, Okta...)

Just the user flow is different. And that is important as well. I need to use OTP on many company resources (even under VPN 🤷‍♂️) on a daily basis. And each time I have to open phone, find and open app, scroll (which takes some cognitive load as there are many numbers I have even for the same client), press, and then go back to the mac. This process interrupts the development flow.

Just an idea, again, no worries. As long as I can export OTPs, I will stick with Ravio (and my personal hacks:)

from macos-receiver.