Edit: As of 2020, almost all banks are doing 2-step verification now for exactly this reason. We are conflicted about whether or not to require 2-step verification before showing passwords, since the banks are protecting transactions with it. And we don't allow cross tab communication. So we are enabling 2-step verification as an option, you can either turn it on, or leave it off within 3rdKey.com.

2-step verification is a way to verify that you are who you say you are, and you want to do what you say you want to do. It can be done through email or phone text messages or an app on one of your devices.

If you give a site your email address, and that site verifies that address, you have, in effect said "I and that email address are connected". So that site can ask you to "confirm" via email, and when you reply from the email, then the site knows you are who you say you are, and you are asking for the site to do something that you want it to do. Same for a phone number or app.

Now, if someone tries to pretend to be you, and asks for £££ be sent to an account that the bank doesn't recognise, then the site can confirm via email or text or app that you really do want to make that transaction.

Of all of the ways to attack a browser, doing 2-step verification prevents all of them from succeeding. However it puts an extra layer of effort for everything you want to do.

To be really safe, even with 2-step verification, every thing you do on a site needs to be 2-step verified. Which can make doing things very cumbersome.

Expect your bank to require 2-step verification for any transaction that it deems as being "out of the ordinary".

3rdKey doesn't rely on 2-step verification for browser attacks, including Man In The Middle attacks, but in order to ensure no Man In The Browser attacks ever succeed, we are making 2-step verification optional.