Faktor is a native macOS app with a small Chrome extension, and once you install Faktor its easy to forget that this functionality isn't native to Chrome.
Enjoy!
It is access requirement for something else, which fulfills the criteria of 2FA.
In this case, there is requirement to access the browser and phone.
I guess it’s still safe against leaking of your password only.
It depends on your threat model vs usability/ease of use.
If your computer is compromised, the 2FA should be somewhere else, not in a keychain.
This is why I like Yubikey and other forms of 2FA (phone based TOTP, mostly).
Even if it is stored in your password manager, it is still useful. Consider the case where your network or website is compromised: the password is compromised and can be reused, but the totp 2fa that is in your password manager still prevents login by anyone who obtained your password. There are many attack scenarios but storing 2fa and enabling autocomplete definitely does not make it useless.
A laptop, or even better, a large, immobile desktop PC, is a much better second factor than a phone, and there is no reason why a user should be forced to go find their phone when they have console access to a much larger device.
Putting a Yubikey semi-permanently on every device and having you do a one-time registration of each device (initially using another already-registered device) should be the default way of implementing 2FA.
I think what helps a lot is that if it's broken in Safari on macOS (not a big deal for the business), it would also be broken in Safari on iOS (which would be a disaster).
While nice for users, this funding model kills anything bigger than a 1 man project in todays world.
Turns out users pay one-time but software developers prefer their salary not to be paid one-time.
Having the totp seed inside a password manager doesn't break this goal, so I'm fine with it.
Of course it means if my password manager gets hacked, there's everything to log in inside, but I'm more concerned about services leaking password hashes that get broken, or accidentally getting phished (and giving up a password + totp combo that can only be used once) instead of my password manager being hacked.
Besides being able to unlock the phone in the first place obviously.
1Password's had this for many years now. In a perfect world with users who followed the rules perfectly every time, a separate TOTP gadget is clearly better. In this world, a slightly less secure TOTP system that's convenient enough that regular people actually use it is vastly better than a perfect system that gets worked around.
Analogy: NIST says to stop requiring periodic password rotations. In dreamland, users would use their password manager to create a new, ultra-strong, unique password every time. In reality, people tired of the rotation treadmill go from `SecurePassword!202406` to `SecurePassword!202407`.
As a component, a separate TOTP generator is better. As a system, an integrated one is more useful.
The level of friction Bitwarden adds as compared to 1Pass is staggering.
Also, their Firefox extension eats resources like a new baby (I had to disable it because just a handful of tabs [1] were killing my machine).
[1] May be a little more than a handful, but having to disable an extension so that your machine behaves normally is telling.