this post was submitted on 21 Aug 2024
1 points (51.6% liked)

Firefox

18048 readers
19 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago
MODERATORS
 

EDIT: Yeah... bad idea. Got it.

I've been thinking about this for while. Sometimes there are situations where I have to log into one of my accounts temporarily to look at or take something and logging in is usually a pain in the ass or straight up uncomfortable.

So my idea is that this feature will allow to temporarily share/relay the cookies stored in the mobile browser that are used to remember logged in accounts (login credentials?) over a secure wireless or wired USB connection to use with the desktop browser (in a temporary container/session to not conflict with other users' data) in order to do whatever I do and then wipe out all data upon mobile device removal.

So... what do you think?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 4 months ago* (last edited 4 months ago)

No, logins should be harder in order to be secure. Hence the addition of 2FA (which is also incompatible with your proposal).

As developers, we strive to make things more secure, not less, and unfortunately, good security always comes with the trade-off of less convenience for the user (larger entropy passwords, session expiration, captchas, etc).

Now, of course, it depends on how sensible the data in that account is. I wouldn't want this for my email account, for example, or online password manager, which are the entry gates to all my other accounts. The Kagi search engine offers the possibility to login on another device via a session URL which you can copy-paste. And this is fine, if the site / app clearly states the dangers, implemented it securely, tracks and lists the sessions and allows you to invalidate a session for all devices, and you are fine with potentially disclosing the data for that account (forgetting to log out, or disclose the session URL somewhere) - which is not much, as they don't log the searches, only the daily counts. And their use-case makes sense, people aren't used to authenticating in order to search something on the internet.

So, this should be an optional feature offering from the website / app, not built-in in the browser which would make it trivial to be abused by anyone.