I don’t understand open source code. Thanks.
- Input data to the clipboard: copying the 2FA code into the clipboard to paste
- Access your data for all websites: to scan a page for qr code
See Permission request messages for Firefox extensions | Firefox Help to explain what the permissions do.
You can disable both of these permissions in Firefox at least and the extension will still work. Because the content, the codes, and the 2FA secrets are encrypted with a password only you know there should be no “backdoor” because there are no current backdoors to encryption standards. I would recommend not using a authenticator app in the browser as it could be exploited, just like it is reccomended not to store passwords in the browser.