Multi Factor (Login) Assistant. Not meant as a security tool!

This tool is NOT meant to help you increase your security.

Instead, this tool is meant to help me cope with obnoxious blame-deflecting security theater nonsense that has become waaaaay too popular with websites that give a █████ about your account security but decide to don a cheap fig leaf to blame you in case they overshare their passwords database.

I don't. I actually really like to have that option, IF it's done in a useful way that actually increases my security. Like when I can prove my identity to my local device (using any method I deem fit) to unlock an SSH or GPG key that I can then use to identify to the website in a mostly automated way. In that utopia, website logins would actually become easier with better tech, rather than more annoying.

Yeah. Passkeys would totally solve that usability problem. (And also a big part of the security concern.)

Unfortunately, a lot of websites still don't accept them. Also I cannot figure out how to easily hook Firefox up with my credentials manager. Seems like I would have to write a custom browser addon. No thanks.

It's not meant to be one. Ideally you configure mfassi to use your own credentials management software.

• Consider keeping the spirit of MFA by storing your MFA keys on another machine than your password. USB UART adapters are an easy¹ and cool way to transmit short texts between computers without a need for all the complexity (and thus attack surface) of a full network connection.
  (¹ Get two of them, connect both their GND wires and pair each TX to RX. Avoid sending while your neighbor is pointing a suspiciously large antenna dish at them.)
• If you store password and MFA keys as plain text, consider at least minimizing the duration of exposure, e.g. store the file on a USB thumb drive that you only connect when needed, or on an encrypted file system that you only mount temporarily.

:TODO:

• Needs more/better tests and docs.

ISC