Comment by waterproof
1 month ago
It wouldn’t be too hard to create a physical device that can only be used to set up and retrieve Authenticator-app style 2FA codes.
All you’d need is a camera to read QR codes, a display, a few kB of storage and some pretty basic processing.
But then I guess that storage would need to be encrypted with some sort of authentication. Hmm.
What about extending the protocol to an actual channel-bound challenge-response one, without the need for a (risky) out-of-band key exchange via a QR code?
We could call it something like Web Authentication. I could even imagine small, keychain-sized USB authenticators that you have to touch a capacitive button on to approve an authentication :)
That doesn't help when the services insist on SMS as 2FA.
Yubikey, FIDO2, etc already exists, though not supported everywhere.
Sounds a bit like Precursor.