> 2. U2F/Webauthn key as second factor is phishing-proof. TOTP is not.

TOTP doesn't need to be phishing-proof if you use a password manager integrated with the browser, though.

ameliaquining 4 days ago | parent | next [-]

A browser-integrated password manager is only phishing-proof if it's 100% reliable. If it ever fails to detect a credential field, it trains users that they sometimes need to work around this problem by copy-pasting the credential from the password manager UI, and then phishers can exploit that. AFAIK all existing password manager extensions have this problem, as do all browsers' native password-management features.

▲

xboxnolifes 4 days ago | parent [-]

It doesnt need to be 100% reliable, just reliable enough.

If certain websites fail to be detected, thats a security issue on those specific websites, as I'll learn which ones tend to fail.

If they rarely fail to detect in general, its infrequent enough to be diligent in those specific cases. In my experience with password managers, they rarely fail to detect fields. If anything, they over detect fields.

	▲	ameliaquining 3 days ago \| parent [-]
		I think this security model requires nontechnical users to be paying more consistent attention than is realistically safe to rely on.

▲

shhsshs 4 days ago | parent | prev [-]

I think it's more appropriate to say TOTP /is (nearly)/ phishing-proof if you use a password manager integrated with the browser (not that it /doesn't need to be/ phishing-proof)