It depends on your threat model.

You pair your phone and browser and then they can talk. Any time you want to log in through that browser it can talk to your phone and auth you automatically. For someone to exploit this, they'd need access to the computer with your browser.

So if your laptop gets stolen, yes this is a bad idea, but I think most people think that they can just revoke the browser's keys if if the laptop gets stolen and they are way more likely to have their phone stolen anyway.

I was more thinking of malware / some otherwise rogue process. This seems like something that's worth having in the world of fake support remote desktop scams.

That's so easy to bypass.

1. Wait for user to sign in. 2. Intercept their sign in. 3. User: "Oh, it didn't work. I'll just try again." 4. User tries again and it works. Attacker is also logged in now.

Alternatively, at that point you could just inject JS into whatever website needed 2FA and do everything without the user noticing anything.

It wouldn't matter if they had their laptop stolen unless they also had their phone stolen. The keys are on the phone. Any new auth attempt would require the phone in proximity of the laptop. It connects via Bluetooth, not over the internet.

I haven't researched their claim, but my guess is that with something like yubikey you wouldn't know an authentication has happened. with Krypton, there would be a notification pending on your phone. Possibly you would only be able to authenticate if your phone is unlocked as well.

My phone locks after a while of inactivity. if I have to unlock the phone, then it wouldn't be zero touch, right?

When Krypton asks you to authorize an access, you can tell it to authorize that single access, authorize the host for three hours, or authorize everything for three hours.

I typically authorize the host for three hours, meaning for the next three hours I don't have to Touch ID in again.