We already have two sorts of OTP generators in place: (a) as hardware (token) (b) as software (e.g. Google authenticator, RedHats freeOTP) Now I saw browser based solutions like SecureAuth OTP which is available as Chrome app. [ <- correction, thanks JulianKnight for the hint ]
Are there any inherent drawbacks or risks having the otp creation within a browser, as opposed to the above mentioned solutions?
There are some potential additional risks from using a browser-based tool.
The main one probably being the security of the storage - where are the OTP settings stored and how secure is that.
The second being that browsers are already quite complex and so may have vulnerabilities over and above a bespoke tool.
Without a doubt, generally hardware tokens are considered more secure as they tend to be very heavily tested. Though there have been some notable failures of course and that requires recall and reissue.
Software tokens are always likely to be only as secure as the platform that hosts them so you should bear that in mind too.
