If your computer is compromised whatever token/cookie you will get from the authentication will be also compromised.

Assuming the computer is compromised also open a lot more issues, privilege escalation can be done in a lot of ways depending of what is being installed (even sudo was hit by such issues https://www.cve.org/CVERecord?id=CVE-2021-3156 )

There is an irony in password managers that stores your password but need a password (passphrase would be better). A password for your passwords. Fundamentally this is because the only secured space, only you can get in and no one else, is your own brain.

Most password leaks are usually caused by bad implementations on the server side. I have an authentication protocol to avoid many password leakages I’d like to share one day (double salt, one from client, one on server so password is never shared to the server).

Database is encrypted in the local storage of the extension. So far Firefox is secure enough so this is not accessible from outside (it is encrypted anyway). The encryption is using the crypto web API (native from web browser) to use PBKDF2 key. It is decrypted with your password so the database is in RAM (not saved anywhere unencrypted) as long as the browser is open or you click to “logout”.

You can export/import all the entries with a simple JSON format (for now, simple “name”+“secret” for each entry). You should encrypt this export file or save it in a encrypted volume yourself.

Thank you for your constructive comment.

Indeed many people thinks 2FA as 2 devices. I am not sure where that came from and what specifically make people think that way. Despite all my research and experience using 2 devices solve no specific security problem. I think there is a whole topic to be argued on this (should I make a blog post on this?).

As for me I have Aegis on my smartphone (really perfect nothing to say). But I have many unwanted/unnecessary 2FA to go through every day (for the last 3 years). I am cleaning my cookie/connection every time I close my web browser and I am not keeping my computer on all the time. Therefore those 2FA needs to be done a lot (I mean at least 3 time a day). I do not interact much with my smartphone, also this is the least secure device I own so web browser extension is an OK way. I used to have a python script I could have run from one of my IoT through ssh. So far I don’t see any vector of attack this would prevent compared to browser extension.

I see hundreds of thousands of users using other extensions that I wouldn’t run on my system and I am sharing a better solution, nothing perfect, nothing that requires mass adoption.

Well this is 600 lines of code, if you cannot audit that you can indeed ignore it for now. Once again this is the only auditable code out there and not asking for unrelated permissions.