feat: Allow approval for 2FA Token Request from browser extension without re-entering PIN #199
Description
Feature description
When using the browser extension to request a token from my (Android) phone's app, I am required to enter my PIN after tapping Accept on the notification (if a PIN is configured in the Application's security settings).
I am asking for an option in the Security settings to "Not require PIN entry to accept Browser Extension requests for already paired domains".
While it would be nice to have this option be a toggle on a per-Token basis, I acknowledge that this introduces additional complexity and it may not be worth it.
Motivation
While this option would not meet the security requirements for some, this disabled-by-default option would allow for more seamless acceptance of 2FA Browser Requests while still allowing the full application to be protected by a PIN.
The Android Notification accept Action already requires a pretty specific scenario: An existing Browser Extension pairing and an existing Browser Extension Paired Domain configuration on the specific token.
The Android App Notification Actions seem to already require the Android device to be unlocked prior to interaction, so the likelihood of non-consensual approval on a device is already significantly reduced.
Where this would be most impactful is when a user has a wearable device connected to their Android device:
The current experience allows for on-wearable acceptance of Browser Requests via the Android Notification's Action Buttons only if the 2FA Android app does not have a PIN enabled.
(The ability to interact with notifications on the wearable depends on the security configuration and settings on the wearable device which varies by device and user setting. As an example, the Pixel 3 watch can lock the device and requires a device PIN be entered immediately when it detects the watch has been removed from the user's wrist. Other devices that lack biometric sensors may only require a PIN entry when the wearable loses its Bluetooth connection to the associated Android phone.)
Example of a notification on the Pixel Watch 3 of a browser request for a token that does not match an existing paired domain:
Example of a notification on the Pixel Watch 3 of a browser request for a token that has an existing paired domain.
Acknowledgements
- This issue is not a duplicate of an existing feature request.
- I have chosen an appropriate title.
- All requested information has been provided properly.