I did consider this, and I would also like to believe that my first thought would be "I am being phished" rather than "I'm sure this is the right web site." I do understand that many users (including myself on a bad day) might not recognize a phishing situation. But at least there is a layer of defense that SMS doesn't have.
Maybe the Bitwarden extension should warn users when they try to copy/view a TOTP code by searching for a login rather than using a matched entry.
U2F is my preferred method of MFA, but many services don't support it, and there can be practical issues even for the ones that do. For example, some services support U2F in a browser but not in mobile apps.
Maybe the Bitwarden extension should warn users when they try to copy/view a TOTP code by searching for a login rather than using a matched entry.
U2F is my preferred method of MFA, but many services don't support it, and there can be practical issues even for the ones that do. For example, some services support U2F in a browser but not in mobile apps.