Are 2FA browser plugins sufficiently secure?
Regarding 2FA browser plugins, I follow the uneducated opinion that they usually provide sufficient security. Since a desktop computer is a unique device (even a virtual machine) and provides that required 2nd factor, you can use a 2FA browser plugin just as well (instead of a smartphone app).
You bind yourself to one exclusive machine. It will prevent people from other machines to login on your account from the internet. But you will also limit yourself to this restriction. Convenient, if it's the only machine where you need it; useless, if you need it somewhere else, too.
You may argue about the security of the implementation of such plugins itself. But you may also have this argument about your phone's hardware, operating system and of course the 2FA app as well. The same goes for 2FA accounts, which can be used on multiple machines (and hacked), but still remain a 2nd factor.
Last but not least, nothing prevents you from logging into your account from your smartphone's browser, using the 2FA app on that very same smartphone.
A compromised machine is one of many malicious scenarios where it might get dangerous. But then the attacker might just as well wait for you to perform the login.
Since it's called 2-factor authentication, not 2-devices-authentication, a 2FA browser plugin will fulfil that purpose. And if your security level needs don't require you to follow the Truecrypt password length recommendation of at least 20 random characters you should be fine.
However, there are people, who caution against such plugins, because a 2FA browser plugin is on the same machine and therefore isn't separate from the login process. Hence, they reject the idea and forbid the usage of such a plugin. Are they right?
PS: I'm not arguing that an additional 2nd device wouldn't provide extra security. But it's not a requirement for 2FA.
