You are better off security-wise with 2FA enabled than without it (for the phishing-related reasons mentioned in TFA - EDIT: taviso is correct in their comment, it's more about protection against credential stuffing than phishing), regardless of where you put the codes, so if being able to put the codes in your password manager is going to be the difference-maker in someone electing to use 2FA, they should do it.
It's the same idea with using a password manager in the first place - if a password manager is going to be the thing that gets you to use secure passwords that vary across services, it's worth the tradeoff of having all of those passwords in one place, because you're much more likely to be compromised by a bad password than by a password manager leak.
jasonjayr 17 days ago [-]
The risk is that if your password manager's database is stolen, then an attacker can do an offline decryption attack on it, and should they succeed, they have both parts of the login to compromise you.
At the very least, you SHOULD keep the 2FA credentials in a separate database (IE, keepassxc can keep multiple databases), so an attacker would need to double their efforts to get both parts of the login.
ziml77 17 days ago [-]
Are there any reasonable attacks against AES-GCM-256 where the key is a mix of a randomly generated 128-bit key and a password? If not then I have no concerns about an attacker cracking my 1Password database.
Eddy_Viscosity2 16 days ago [-]
> Are there any reasonable attacks against AES-GCM-256 where the key is a mix of a randomly generated 128-bit key and a password? If not then I have no concerns about an attacker cracking my 1Password database.
Hackers rarely break through the front door. They find a vulnerability elsewhere in the code, your OS, other programs on your computer, the companies servers, the companies staff, and so on. You have to have full faith not just in the encryption algorithm, but its implementation, everything and everyone around it and everywhere it operates and interacts with. Any one of these could be a route in.
bluGill 17 days ago [-]
The password is generally the weak point. If you can remember it any modern computer can guess it in a short time. Which is why password generation is so imporant.
yoble 17 days ago [-]
I don't think that's correct as a blanket statement - you can use a passphrase, or remember a 14+ character password since you only have one to remember.
Even if it's only random-ish, password managers do key stretching (for example by hashing the password 600k times - bitwarden has a high default value and lets you increase it if you like) so that it has to take some computational effort to check if a single password is correct. That's why it take a few seconds to unlock your vault each time.
With these in place I think you're pretty safe for a long time. (Well, maybe until quantum computing breaks those cyphers?)
baliex 17 days ago [-]
> If you can remember it any modern computer can guess it in a short time.
That's not true. A long sentence of your choosing is easy to memorise and plenty long enough to not be able to be guessed by a computer (brute force).
bluGill 17 days ago [-]
That isn't a word though.
number6 16 days ago [-]
As a German I have access to words like "Moselschifffahrtspolizeimützenverordnung" and that's a mild one :)
bluGill 16 days ago [-]
Stupid German proving me wrong with something that most languages don't have access to.
\s
I'm sure German is not alone, but it is the only one I'm aware of - though with over 7000 known languages I doubt anyone knows enough to state anything with confidence.
number6 15 days ago [-]
I believe Sanskrit has some very long words like 600 Roman letters or something
Modified3019 17 days ago [-]
Paraphrases are much easier than passwords in this regard. Though I fear keylogging more than brute forcing what my main password is.
But this is why I use security keys like yubikeys. Doesn’t matter if an attacker knows my main password for any number of reasons, there’s fuckall they can do with it without my physical key.
And even if they get into my vault and extract passwords, for many websites (in particular the most important ones) they’d still need to use my security key, they can’t just use the passwords.
Attacks are still possible (with browser session fuckery?) but much harder that yet another breach where a website was storing passwords in plaintext
I like, no I think it's simply a hard requirement, that I can recover from nothing but the contents of my head. I can wake up naked in a foreign country and regain everything.
yablak 16 days ago [-]
I'm also interested in the answer to this question. Can one separate the cracking of the password and the key?
EPWN3D 16 days ago [-]
The threat model of password managers and encryption as a whole assumes that the adversary has the ciphertext. If the adversary can decrypt it, then the encryption algorithm is fundamentally broken.
There is literally no point to encryption if possession of the ciphertext is sufficient to extract the secret.
ghjfrdghibt 17 days ago [-]
Or you can protect the database with a keyfile and/or a hardware key meaning you need 2 or 3 factors for the database.
This is what I do for my keepass database. It means I can store my database in a cloud service of my choice for sync purposes too.
WXLCKNO 17 days ago [-]
After seeing people lose cryptocurrency first hand through the LastPass leaks (hot wallet seed phrases, which is still stupid to have online but..), I really feel like the odds of a leak being the cause of any issues higher than a bad password, for tech savvy security conscious users at least.
01HNNWZ0MV43FF 17 days ago [-]
Wasn't that because they had backed up their password vaults to LastPass' cloud service?
I use KeePass, never upgrade it, and only back it up to my own cold spinning drives. If malware stole my local vault I'd be in trouble, but it's more convenient than keeping my passwords on paper.
niij 16 days ago [-]
LastPass is inherently a SaaS, right? There is no ability to use it without syncing your vault to their servers.
justinclift 16 days ago [-]
Maybe Bitwarden would be the better alternative, as its OSS?
Part of why I avoid password managers that use their own cloud system. Storing my vault in a regular cloud database, not a password-specific one, to me makes it much less likely my vault will be compromised.
rkagerer 17 days ago [-]
Not criticizing, but I'd rather not have it in the Cloud at all.
kcartlidge 16 days ago [-]
> After seeing people lose cryptocurrency first hand through the LastPass leaks
The reason for those losses was partially that LastPass was encrypting with extremely low iterations on long-standing accounts (it also may not have helped that they didn't encrypt URLs either). That was a terrible practice which isn't duplicated by credible alternatives.
As a matter of opinion you may still be right, though personally I consider the risks of a bad password to be higher than a leak purely because without a password manager making it simple to use long random passwords most do tend to be bad ones (duplicated/short/guessable/engineerable) as those are the only ones that are memorable.
It's the usual trade-off between security and usability, with the perfect being the enemy of the good, especially in regard to pushing less technical users to solutions which may not be ideal but are still much safer.
watermelon0 17 days ago [-]
If you store both in one place, it's similar to 1FA. In such case it's a lot better to just use passkeys (where supported).
crazygringo 17 days ago [-]
Good point about it being similar to passkeys.
But why would it be better to use passkeys?
Because don't sites with passkeys generally still allow you to fall back to password, since it's common for people to lose their phone and then lose their passkey? Whereas sites with 2FA obviously don't, and have more complicated/secure recovery mechanisms?
So seems to me like 2FA (TOTP's) are currently vastly better in practice?
jamesmotherway 17 days ago [-]
Hardware keys and passkeys are better because they can't be phished. In the case of hardware keys, one should register multiple to prevent lockout. Most implementations of passkeys seem to be portable, letting them exist on multiple devices (something that gives me pause).
If an adversary can successfully phish someone, they can often also trick them into providing TOTP codes or approving push notifications. However, TOTP remains significantly better than the alternatives, as it prevents credential stuffing attacks and SMS-related compromises while potentially limiting any account breach to a single session.
crazygringo 16 days ago [-]
> Hardware keys and passkeys are better because they can't be phished.
I think you're missing the point I made -- that because of the way sites are currently set up, your password can be phished even if you have a passkey, and your password is good enough to get you in.
So given that that is the current state of things, isn't TOTP better because it prevents this? Because at least the TOTP won't let an adversary get in a second time.
jamesmotherway 16 days ago [-]
Sorry, I overlooked part of your post earlier - I'm tired. As I previously alluded to, I don't use passkeys due to concerns about their implementation. Whether passkeys are better than TOTP really depends on the individual user's circumstances.
Which service is it? Do they ever use that password?
If I were used to signing in with a passkey, I'd find a password prompt suspicious. While the average person might not, it's also possible they would have forgotten the password entirely. There are other services that force TOTP even with hardware keys enrolled. Technically they can be phished, but it would not be successful in all cases.
Unfortunately, varying behavior and support for multifactor protocols (along with risky reset flows) makes it hard to give blanket recommendations.
Ferret7446 14 days ago [-]
Most sites that allow a passkey also require you setup 2FA with your password when enabling passkeys. Which, unless you also set up an alternative method like TOTP, would also be your passkey.
So ironically, your options would be your passkey, or your password+passkey/FIDO key (in 2FA mode).
zzyzxd 17 days ago [-]
How many places is generally irrelevant. If a system requires user to provide 2 factors to authenticate, it is 2FA. A password manager software itself should be no exception.
jamesmotherway 17 days ago [-]
If the vault requires a hardware key and master password to access the encrypted password and token, would you still describe it as single-factor authentication?
Spooky23 17 days ago [-]
TOTP tokens aren’t really MFA anyway. They are just another type of password that is more protecting against bad password practices and other compromises. They deliver multi-step auth.
Tokens that increase the trust level of an authentication come with additional controls (tamper resistant hardware, passcode, etc)
For normal people, a FIDO token delivers the highest level of security and integrity.
mid-kid 17 days ago [-]
The reason I store 2FA codes in my password manager is as a protest to companies forcing me to have a 2FA. I don't want to be randomly locked out of my google account due to not having a usable 2FA, and I also don't want to depend on having a single device be always available to provide the codes.
In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service. The phishing-resistance is nice, but I'd prefer it being the only credential, and just having it be autofilled (making it longer to combat bruteforce), like what we currently have with password managers...
Here's to hoping passkeys turn out any better.
forty 17 days ago [-]
Yes, my point of view is that using a password manager with unique and strong passwords everywhere is bringing most of the benefits you get with TOTP, and then you can have TOTP for compliance with security policy only.
ghjfrdghibt 17 days ago [-]
Passkeys are a shitshow at the moment, I store passkeys in my password manager along with 2fa codes as it is the only way to make them reasonably usable. And obviously the only other way to manage passkeys is to rely either on a single device, trust big corps and vendor lock in, or to have multiple passkeys on multiple devices/services for the same sites/accounts.
loeg 17 days ago [-]
> In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service.
Right. This is the killer features of passkeys.
WhyNotHugo 17 days ago [-]
FWIW, you can store 2FA/TOTP tokens on more than one device. For example, I store many on two separate Yubikeys.
Then again, I do this for accounts that I really care about, I just keep TOTP in my password manager for accounts that are not worth the effort.
Alex-Programs 17 days ago [-]
I store 2FA keys in a fingerprint protected Aegis vault on my phone, and I periodically export an encrypted (with a master password I remember) backup that I then email to my parents.
I get their argument that 2FA makes phishing more difficult, but I disagree that it's its "primary use", or that the distributed factor is unimportant. I personally wouldn't feel comfortable having all my important accounts behind Bitwarden's single point of failure. 2FA for important accounts mitigates the damage if my Bitwarden is broken into.
taviso 17 days ago [-]
I'm not familiar with the expert they consulted, but the claim that "The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks" is just plain false.
TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.
In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.
eblume 17 days ago [-]
The point here, I believe, is that 1Password will only prompt you to enter the 2FA code if the domains match, same with the password. Your point that if you've already decided to enter your password then entering the 2FA code isn't much of a hurdle is sound, but from the perspective of a user of 1Password, it is indeed very surprising (and rare!) when I try to log in to a page and find that 1Password won't show my log in because the domains don't match. It happens, usually due to some cross-origin login flow, but it's rare. So I think the claim isn't false, it's just based on a premise that might not factor in for different people.
watermelon0 17 days ago [-]
If domain doesn't match, password manager of choice will not suggest to populate credentials. In that case it doesn't matter if 2FA is saved by the password manager, or is managed on another device, because you won't have the chance to use the 2FA.
If domain doesn't match, and you manually copy the password, and login, you can as well manually copy the 2FA code.
Dylan16807 17 days ago [-]
> The point here, I believe, is that 1Password will only prompt you to enter the 2FA code if the domains match, same with the password.
Yes, same with the password.
So it is not an advantage of 2FA.
Scion9066 17 days ago [-]
I think their point was that it's less phishable from the perspective of needing the attacker to try logging into the site with it in realtime instead of being able to just store the password for some later time. The needed concurrency makes it more difficult (if only slightly).
I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?
taviso 17 days ago [-]
The attacker doesn't need to literally be sitting at a keyboard, that can just be automated.
> I'm curious though why you don't think TOTP or similar are good against credential stuffing though
Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.
That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.
A far better solution is unique passwords, it works today with all service providers.
gchamonlive 17 days ago [-]
It's better than not having 2fa, but a breach to your password manager would give any attacker full control over your accounts.
A better approach would be to split in two solutions where you store passwords and 2fa keys.
I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.
The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.
kcartlidge 16 days ago [-]
Similar - I use Bitwarden for passwords and Authy for 2FA so a compromise of only one of them is not a disaster (assuming a site supports 2FA which my important ones largely do).
gchamonlive 16 days ago [-]
Authy is nice because it takes care of replication, but once you have all your devices synced I'd disable adding new devices, otherwise it'll expose your 2fa in case of SIM card breaches
1970-01-01 17 days ago [-]
I disagree with the experts here. There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault. At best, this is a lateral security trade-off that you are paying them to provide. View the 2FA feature from a software marketing and sales lens. Can you see how it's just feature creep, driven by competition doing the exact same thing?
baobabKoodaa 17 days ago [-]
Same here. It seems like they are very narrowly optimizing for the extremely rare case of a person who simultaneously:
A) Is fooled by a phishing attack
and
B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work
Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.
It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.
yoble 17 days ago [-]
In my previous company we hired a startup that did security training, that recommanded everyone use a password manager. And one of their test was that they sent a fake phishing email to people (randomized over a couple of months so not everyone would get it the same day).
I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.
Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.
baobabKoodaa 17 days ago [-]
The most important bit of information is missing from your post: was everyone using 2FA? If yes, then you make a relevant point.
Dylan16807 17 days ago [-]
Even if no 2FA was involved at all, it's a good answer to the scenario you were posing.
I think plenty of people will have second thoughts when the password doesn't go.
baobabKoodaa 15 days ago [-]
The comparison here is using 2FA with external device, or putting 2FA codes into a password manager.
Any kind of experiment that doesn't involve 2FA at all is not relevant for this comparison.
Dylan16807 15 days ago [-]
The anecdote provides evidence for people that are initially fooled by a phishing attack but aren't fooled enough to manually copy-paste credentials when autofill doesn't work.
Your argument about 2FA depends on how many of those people there are.
Therefore the anecdote is quite relevant, indirectly.
14 days ago [-]
sneak 17 days ago [-]
The most common 2FA mobile app that isn’t a password manager is Google Authenticator.
Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.
doodlesdev 17 days ago [-]
> Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
FreeOTP+, available on FDroid [1] provides for import/export of one's stored codes.
The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.
What would be the way to phish someone who has a hardware security key that they have to touch?
ww520 17 days ago [-]
For Google Authenticator, you can do an export for device migration. Once it shows the QR code image, snap it and then abort the migration. Back up the QR code for later restoration.
clysm 17 days ago [-]
> There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault.
Did you read the article? That's what they say.
> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.
baobabKoodaa 17 days ago [-]
> Did you read the article? That's what they say.
No, that's not what they say. If you read the text that you just now quoted, you will see that it says "storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides". Clearly the writer of that text believes there _is_ something wrong with having 2FA completely separate from the password vault: it is less convenient, to the extent where they are happy recommending this horrible approach to laypersons.
In addition, if you go and read OP, you will find that they talk about the potential of losing access to your TOTP codes stored in Google Authenticator. So that's another thing that counts as "something wrong" with storing 2FA separately from password vault.
So there's at least 2 things in the article that count as "something wrong". So they definitely didn't say that there's "absolutely nothing wrong".
cycomanic 17 days ago [-]
They say it's less convenient, that doesn't mean they say it's wrong. And yes it is less convenient, why are you saying it's "horrible"? Security is always about compromises, if the less convenient method causes people to come up with workarounds then it would be worse even if in theory it's more secure.
baobabKoodaa 17 days ago [-]
> if the less convenient method causes people to come up with workarounds then it would be worse even if in theory it's more secure
but that's literally what this is... the less convenient method (2FA) caused people to come up with workarounds (saving 2FA secrets in their password vaults)... and I'm saying it's horrible
skybrian 17 days ago [-]
More generally: the world would be a better place if most people relied on password managers. If you can do it reliably, using any password manager, even the one built into your browser or OS, is better than not using one.
The problem is that it requires a certain amount of good hygiene when it comes to computer equipment. There are many people who are bad with computers, who don’t have phone backups and lose their phone, who will share accounts and devices, and so on. The result is an insecure mess.
So, solving the “people should use a password manager” problem requires solving all the other issues surrounding how non-technical people use and misuse computer equipment, so that having a password manager and not losing the essential data stored in it becomes the default.
For some people, it would probably be safer and easier to write down your passwords on paper, in a notebook. Other people will lose the notebook, or have it stolen from them. There are similar but more complicated issues with holding onto computer devices.
raywu 17 days ago [-]
Isn’t this what passkey is trying to sidestep? Assuming the user is at least authenticated on one device.
cuu508 17 days ago [-]
For people who are bad with computers, I think passkeys could work ok in scenario where somebody has just one device, they never upgrade it, never lose it, never break it, never accidentally click on "log out" in their passkey provider's account.
skybrian 16 days ago [-]
In other words, having just one device is as bad as having just one key to a safe. You need redundancy to avoid getting locked out.
myflash13 17 days ago [-]
Important to note that not all password managers are equal. Using Apple’s built-in password manager is more secure because it is inherently tied to your biometrics and authentication is hardware-based, i.e Secure Enclave. This is categorically different from web services like Bitwarden or 1Password authenticated by login email and 2FA codes. Even if someone got into your Apple ID they still would be unable to view or sync your passwords without biometrics.
politelemon 16 days ago [-]
Absolutely the opposite. Using Apple's built in one is less secure because it is within the ecosystem that you are subject to; if you are locked out of said ecosystem, you are locked out of everything. Password managers should never ever be inside your ecosystem. That is why people often manage the database syncing themselves and relying on the database own strength, eg kdbx.
myflash13 16 days ago [-]
To insure against being locked out of my Apple ID I simply export and store my own backups periodically. Good idea regardless of which provider you use.
anonyme-honteux 17 days ago [-]
It's not a good thing at all that what manages the secrets of my digital life is hardware based... on the hardware of one single vendor
myflash13 17 days ago [-]
You have to trust your device manufacturer anyway.
watermelon0 17 days ago [-]
iCloud syncs passwords between your devices.
If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.
alehlopeh 17 days ago [-]
If someone knows your username and password and can convince you to give them a TOTP code, then yeah they can log in to your account. That’s hardly iCloud-specific.
myflash13 17 days ago [-]
iCloud Passwords is more secure than that. Even a TOTP code and password is not enough to initiate a password sync. You also need to biometrically authenticate a previously synced device
pohuing 16 days ago [-]
Thinking about it, what happens if you lose your eyes or your fingercups(say for example from frostbite). Are you just screwed or is there a recovery method
myflash13 16 days ago [-]
I make my own encrypted backups from CSV exports.
myflash13 17 days ago [-]
Nope. Check the Apple documentation, that’s not how it works. Even if Mallory gets your Apple ID and 2FA code you still need biometrics from a nearby device to initiate password sync.
This is a special requirement for Passwords that does not apply to other encrypted data in your Apple account.
throwpoaster 17 days ago [-]
I had my password manager compromised by a business partner. I added him to my 1Password account and then, in a play for control of the company, he attempted to remove me. Lesson learned: don't try to save money on password managers.
If all of my 2FA code generators had been in 1Password I would have been truly screwed, but in a stroke of luck I had been paranoid enough to use a separate app for 2FA codes.
ww520 17 days ago [-]
While it’s regrettable you had someone you trusted betrayed you, the lesson is more of never share your password manager with others.
swat535 17 days ago [-]
Exactly, it’s like people complaining about locks when they hand over their keys to another person and suffer theft.
The lesson here is using granular permissions and sharing things selectively, more importantly never giving master access to anyone.
dahart 17 days ago [-]
Wild! Would that actually work in the long run? It could cause you a lot of trouble, I’m sure, but it seems like if you have any legal documentation, a lawyer would easily fix it. And it seems like it’s probably illegal to try to remove someone without consent or authorization, so it could potentially backfire pretty hard for him?
I know this happens sometimes, and I’m thankful my partnerships have never gone this bad. Did you know it was headed this direction before he tried it? Was that the end of the company?
throwpoaster 16 days ago [-]
The law is amazingly difficult to actually enforce against someone who simply will not comply. If everything goes to a potential finding of contempt it takes ages to win by inches. This is what I ended up doing. Literally took 2+ years.
I “won” in the end — the board fired him and appointed me CEO - but it destroyed the company.
And yes, I saw it coming, but was hoping I could control him until we found revenue and the pressure came off. This was illogical because people like that cannot find revenue.
kubo6472 17 days ago [-]
I'm sorry this happened to you, but it highlights another very important factor. Don't keep all keys to the kingdom on one person. Always divide and conquer. Keep power distributed between multiple people. I worked at a company of 500+ people, and I'm sure the CEO didn't have access to all the IT people's stuff. They only cared that everything works and meet their quarterly goals. Shall the IT person feel like sabotaging stuff, there are distributed backups and mainly the fine print in the work contract preventing that.
I know this doesn't necessarily apply to smaller companies and startups, but have lawyers write you strong contracts that aren't one-sided, but are full of protections for both sides, if they aren't sabotaging stuff.
throwpoaster 16 days ago [-]
This, yes, but there’s a really interesting corollary:
If you’re on a small team (~5 people) the person obsessed with access controls cannot be trusted.
Eric_WVGG 17 days ago [-]
That’s harrowing.
If any journalists are lurking in this discussion, this would make a decent article.
throwpoaster 16 days ago [-]
Reply here with info and I’ll reach out. Have to be careful with NDAs and such.
bloopernova 17 days ago [-]
Because there's a trade-off between security and convenience.
declan_roberts 17 days ago [-]
Exactly, and is there material difference between OTP in a password manager and a passkey in the password manager?
rlk 17 days ago [-]
There are a couple of differences:
1. While a password manager should associate a TOTP seed with a domain and only fill codes on that domain, the codes are still visible to you. A convincing phishing attack might trick you into manually entering a code into a fake page. Passkeys don't allow this.
2. TOTP codes are derived from a seed shared between the client and server, so an attacker who gets read access to the server's database could generate your codes. With passkeys, the server can only validate a signature, not generate them.
pwg 17 days ago [-]
> A convincing phishing attack might trick you into manually entering a code into a fake page.
Sadly, for a far too large population of users, a convincing phishing attack will be successful, even if the tech. is flashing ten different warnings of "this is a phishing attack page" at the same time. You can't "technology" around human nature for a subset of the population.
lesuorac 17 days ago [-]
Probably.
I would bet there are some systems that accept a passkey in a situation that they don't accept a password.
kif 17 days ago [-]
People advocating against storing 2FA codes in the password manager are correct from a purist perspective, but not from a pragmatic perspective if you ask me.
If my device is compromised, along with my device's password, as well as the password manager's password, then yeah... I'm screwed.
As long as I keep my devices up-to-date though, I believe the highest risk comes from state-sponsored actors. I've chosen convenience, and I've made my peace with it.
cycomanic 17 days ago [-]
It's interesting how many argue that putting 2FA codes into a password manager is wrong because you combine 2 factors into one (not don't fully agree with that reasoning), but then are happy with passkeys. How are passkeys better?
WhyNotHugo 17 days ago [-]
Passkeys are 1 factor authentication.
They are often better than only using a password (merely due to the fact that most humans pick terrible passwords).
But using a password + 2FA generally is safer than passkeys. This is especially true if you use webauthn for 2FA, since now one of your factors is basically the passkey.
ghshephard 17 days ago [-]
Passkeys aren't susceptible to phishing. 2FA TOTP is. Also -your seed/token can be trivially stolen from a password manager. Getting the passkey private key somewhat more challenging.
cheald 17 days ago [-]
I think it's a terrible idea, because it dramatically decreases the attack surface area needed to compromise accounts. 2FA is supposed to be "something you know' and "something you have"; putting your 2FA seeds into your password manager reduces your 2FA to "something you know", and, significantly worse, it's "something you know in the same place as the other thing you know".
The time-variant component is still quite valuable, but it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution. By keeping your 2FA separate from your password manager, even if it's still just "something you know", it's something you know in a location that's orthogonal to your passwords. If I yield to convenience and use a 2FA desktop app, then now, instead of just attacking my Bitwarden install, you have to successfully attack my Bitwarden install and my 2FA desktop app install to get access to my accounts, and the combination of password managers * 2FA managers is a substantially larger attack surface and requires a significantly more sophisticated attack to get both pieces.
The arguments in the article come down to "well, 2FA mitigates phishing attacks" (true) and "Google Authenticator means you can lose your data easily" (also true). But neither of these is a good argument for why the data should be kept together. It just means "use 2FA", and "use a 2FA manager that lets you directly manage your seeds and keep offsite encrypted backups".
If you can't be bothered to do it properly, then 2FA codes in your password manager is certainly better than not using 2FA at all, but that just makes it a less terrible solution, not a good one.
jerf 17 days ago [-]
Putting your 2FA into your password manager doesn't "reduce" it to "something you know". It proves it was "something you know" all along. If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.
On a related notes, "passkeys" are also "something you know" for the same reason.
However, that does not mean that TOTP codes are useless. Not all "something you know"s are created equal. However, I shamelessly put my TOTP codes into my password manager. Just because some people mistakenly identified it as "something you have" doesn't mean I need to pretend they are correct. It just inconveniences me for no security gain.
dns_snek 17 days ago [-]
> If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.
That's not a useful distinction and needlessly breaks an otherwise useful model. By that logic, every authentication method is just "something you know" since every piece of information can be represented as a stream of bits, and password managers are well equipped for storing it. That includes your face, fingerprint, and DNA.
jerf 17 days ago [-]
I agree with your last sentence and I am finding the know/are/have model actually quite useless in practice, for that very reason. It's all really just variants on knowing, and rather than breaking the world into three categories, two of which don't really exist, it's much more sensible to look at what the differences between the classes of "knowing" is.
For example, while I "know" my TOTP codes, it is relevant that they can not be memorized. While I "know" my passkeys, the differences in how that knowledge is interrogated is relevant. What isn't useful is modeling either of those things as "have" versus "know", because by putting them in my password manager, I have objectively broken them as a concept of "thing I have".
But people marry their models, so it'll be a while for this to get through our collective skulls. It looked so useful at first.
aimazon 17 days ago [-]
If my primary device is compromised and my master password is compromised and the device that I use for second factor authentication into my password manager is compromised then the secondary device that I could use for 2fa codes is compromised. For most normal people, storing second-factor codes in Bitwarden alongside passwords is marginally worse at worst, and inconsequential at best.
Yes, if you use a bad password manager that is fundamentally flawed (like LastPass) then all bets are off but that's not an argument against the principle of storing 2fa codes alongside passwords in a password manager.
I doubt there's a single Bitwarden user on earth who has ever suffered a security incident because they store their 2fa codes in Bitwarden, that's how inconsequential this risk is.
patrakov 17 days ago [-]
Unconventional opinion here.
Passwords in the password manager are not "something you know" anymore. They are "something you have". So, no matter whether the TOTP codes are stored in the same app or a separate device, you can no longer properly call them 2FA. It's 2x "something you have" in either case.
EDIT: user "jerf" in the same comment thread says that it is 2x "something you know". The distinction whether something stored counts as "something you know" or "something you have" does not really matter. In either case, it is 2x the same type of a factor. --END EDIT.
From the "difficulty to compromise something" standpoint, you are, of course, right that storing the TOTP seed in a separate device is better. But look, this is not the primary reason why websites need to implement TOTP. The very fact that hackers need to compromise your device in order to get access to your account is already indicating a higher-than-usual security level, even without 2FA, and the article fails to notice this. Besides, the article only presents a user-centric viewpoint, while the viewpoint of a website owner would be more relevant here.
The main problem solved for real by TOTP is that users select stupid passwords like "Zhong+wen" that are guessable yet still pass complexity requirements, or reuse passwords on multiple websites (and your website cannot check for that), thus enabling compromise of the user's account on your website if another website gets hacked.
The main security reason (from the website viewpoint, not from the user's viewpoint) for TOTP introduction is, thus, to introduce a high-entropy factor which is (unlike a password) not chosen by the user, guaranteed not to be reused elsewhere, and thus cannot be guessed or compromised without access to the user's devices. This benefit is not invalidated by you storing the 2FA secret in the password manager.
ashitakamonkey 17 days ago [-]
Doing it properly is the key part I think a lot of people miss.
People often skip out on actually assuming responsibility for their data and accounts. A backup system should be in place and ensuring their 2FA codes are not lost with their device is part of that taking on responsibility.
Al-Khwarizmi 17 days ago [-]
You speak as if 2FA were something that most people use willingly and not just something they put up with because they're forced to.
cheald 17 days ago [-]
Which is precisely why it's irresponsible to give people the rope to hang themselves with by supporting 2FA seeds in password managers (much less telling them it's a good idea), IMO.
People take the path of least resistance; we know this. It's why, for the longest time, people used one password for everything. People don't like using password managers, either, but we would all agree that it's unacceptably insecure to not use them, because the alternative is "one password used everywhere, maybe with a single varying digit on the end".
Trasmatta 17 days ago [-]
> People take the path of least resistance; we know this
If you remove the ability to store 2FA codes in password managers, the path of least resistance becomes "people don't use 2FA at all".
cheald 17 days ago [-]
I don't think that's true at all. 2FA has been a popular solution for many years, well before the addition of TOTP support to the popular password managers.
pwg 17 days ago [-]
For some sizable amount of the user base, assuming they can even be convinced to use a password manager in the first place, not being able to also store 2FA codes in the manager will become their excuse to not use 2FA codes.
A great expanse of users (note, not normally the ones who frequent HN) see all these 2FA codes, and passwords as well, as just an irritating impediment to accomplishing whatever goal it is they wish to accomplish at the time.
Trasmatta 17 days ago [-]
Was it actually popular among non tech people? I feel like nobody I knew outside of developers had ever used a 2FA code until maybe 3 or 4 years ago (unless they were forced to)
starky 17 days ago [-]
I agree. Give the average person the ability to make a good enough decision for their online security with minimal effort. I'm having a hard time being that concerned with TOTP 2FA being an option in the same location as passwords when the most important accounts people have are often limited to completely unacceptable SMS 2FA (looking directly at you financial institutions). Whatever it takes to get people off SMS and Email 2FA is a big win in my book, even if it isn't the best option.
mlfreeman 17 days ago [-]
> it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution.
You can mitigate this risk by not depending on your password manager app to do cross-device sync..keep a file on Dropbox/OneDrive/iCloud Drive/SFTP/etc and use an app like KeePass/Strongbox/etc that just deals in managing credentials.
My KeePass file storage provider doesn't know what the hell I store there because it's encrypted (I hope there are no known issues with KeePass's crypto)
As a bonus, you can keep offline backups to mitigate other risks like house fire, lightning strike induced EMP frying things (happened to me), storage vendor goes out of business, and more.
-------------
I think in the end, there is no universal solution - you really have to try to be reasonable about estimating your own personal threats and risks (such as asking "am I more likely to suffer a password manager compromise or more likely to break a device?") to decide whether to keep 2FA next to passwords or not.
nlawalker 17 days ago [-]
> But neither of these is a good argument for why the data should be kept together
The argument is "because many people, if they can't keep the data together, will elect not to use 2FA at all if given a choice."
eek2121 17 days ago [-]
I guess that would depend on execution. If your password manager uses strong encryption and you also use MFA for it (a yubikey for example), I imagine it isn’t all that less secure. Your point still stands, however.
WhyNotHugo 17 days ago [-]
The first reasoning basically summarises to "storing 2FA token in a password manager protects against phishing because the TOTP token won't be autocompleted on the wrong domain".
Any decent password manager would avoid autocompleting the password on the wrong domain in the first place. I.e.: it will already protect against phishing attacks anyway.
1Password's documentation use to have a whole article about how bad an idea it was to store TOTP in a password manager — but their stance completely changed at some point. Around the same time they started _recommending_ that you do so, and presented it as a key feature in the marketing material.
---
Personally, I think that the only valid reason to store a TOTP secret in password manger is when you don't really care too much about an account (e.g.: prefer convenience over security), but the website demands that I set up 2FA.
kazinator 17 days ago [-]
The author of this article is unaware of the possibility of an audience who has no idea what the use case looks like for a short temporary token to be stored in a semi-permanent store like a password manager; what does it do? How does the token get there, and how is it used? Does the password manager infrastructure have access to the stream of tokens so that it populates the latest one, and fills it in for you when you're authenticating? Obviously any manual step in handling the token via the password manager will be worse (or no better) than just entering the token manually into the authentication dialog, so it has to work that way?
timwis 17 days ago [-]
Related: Why is it a good idea to store 2FA tokens in 1Password?
Using 1Password requires me to use one of my devices to add a device to my account.
If someone has my password and my device how will a separate app help me in this case?
Honest question as the 1password model seems to be “something you know and something you have”.
baobabKoodaa 17 days ago [-]
If someone hacks 1Password, they will get access to all your accounts. Whereas if you moved TOTP off 1Password, that hacker would no longer be able to access your accounts.
conception 5 days ago [-]
If someone hacks 1Password, they get an encrypted vault. 1Password has no access to my passwords. There is no recovery mechanism without the encryption keys or a device on the account.
ww520 17 days ago [-]
One of the risks of 2FA is losing access to your accounts after losing the authenticating device. Backing up the 2FA seeds mitigates that risk. The backup needs to be encrypted with the password remembered and stored somewhere. Sounds like it’s a job for a password manager, preferably in an offline local password manager with a different database.
rsync 17 days ago [-]
"One of the risks of 2FA is losing access to your accounts after losing the authenticating device."
A "2FA Mule"[1] solves this problem by staying in one place with constant power.
I receive plain old SMS 2FA codes while flying in an airplane.
I also don't care that much if I lose or destroy my personal mobile. In fact, I don't even know my current SIM number. If I lose my personal mobile I just edit a twiml bin at Twilio and point my number somewhere else ...
Ultimately, you have to store your backup codes somewhere. So the only solution besides using your password manager is using a second password manager. Or not using a password manager to save off your backup codes, which has its own disadvantages.
There's lots of cases where 2FA reduces to 1FA. E.g. logging into a website on your mobile phone, and getting your TOTP or SMS code on that same phone. In fact-- that case is so common I wonder if we should just get more used to the idea of 1FA, with smartphone passkeys/biometrics/SSO being the auth factor. As it stands, if you compromise someone's smartphone (and have their smartphone PIN), the odds are great you can autofill any password you like on their phone and pull up any needed 2FA tokens as well.
aftbit 17 days ago [-]
IMO the real advantages of 2FA are threefold:
1. The key is generated by the server, not the client (human), so it cannot be reused like a password.
2. The authentication is temporally bound, so phishing only offers access for ~30 seconds, unlike a password where it provides unlimited access until someone changes it (never unless forced in practice).
3. It's literally required for many services, so you need to use it. The alternatives to storing your secrets in your password manager are keeping them on your phone (which is how most people log in anyway, so its already becoming a single point of failure) or using something like SMS 2FA, which is even worse as SIM jacking is pretty trivially possible on most providers.
superultra 17 days ago [-]
The primary reason I used 1password + 2FA at both my business and in my family is really simple: 1password creates a shared 2FA process. That is, I can create a 2FA login that someone else in my team or family can also access.
1123581321 17 days ago [-]
Good advice in this article. Keeping TOTP in a good password manager removes risk of making mistakes with the codes by tying it to the same auth sequence as the password. The assurance that the codes are securely stored, easy to use and to establish on a new trusted device lets services be used confidently which don’t allow vulnerable bypassing of credentials with easily purchased proofs (SSNs, street address etc.)
Backing up TOTP seeds encrypted is a good idea if you know what you’re doing.
It is a security-improving move when humans are factored in, not a trade-off between security and convenience.
jopsen 17 days ago [-]
I really wish we could store passkeys and totp in bitwarden where access always goes through a server side KMS.
Currently, bitwarden stores these encrypted, but they are unlocked with the rest of the password manager.
For now I'll stick to yubikey for 2FA.
But I wish I could use bitwarden as a layer of abstraction, such that bitwarden would always require my yubikey before allowing any of the passkeys or totp keys to be used.
xlii 17 days ago [-]
This might not be solution for everyone but wouldn’t the best protection to use two separate password managers? One for passwords and the other for the TOTPs?
I wonder why service providers don't have it already. They could even help ensuring that the passwords are different and provide some interoperability between both vaults (e.g. TOTP on mobile device is passed to PC password completions)
alistairSH 17 days ago [-]
Maybe there’s a language issue here… but would any saved 2FA code be expired the next time you retrieved it from your password manager? They’re generated for one-time use and have an expiration, right?
Or, when the author says “save the 2FA code” does he really mean “use the password manager to generate the 2FA codes”?
Eric_WVGG 17 days ago [-]
A good explanation for the layperson is: MFA means access requires something you know (a password) and something you have.
In the early days of MFA that thing meant a cellphone because it was SMS by default, but yeah, a laptop or computer of any kind is a "thing you have" as well.
kardianos 17 days ago [-]
If useful to this crowd. I use keepassx, I made a way to easily print off key passwords along with their instructions:
It could be modified to also print out the otp as well if stored.
complex_pi 17 days ago [-]
A file-based password manager ils something you have (the file) and something you know (the master password) provided you have a timeout on the password manager and a safe screensaver. (In reply to some comments below).
It does require some thought / hygiene but seems a fair compromise.
evanjrowley 17 days ago [-]
For a few years I've used the exact same setup as the author in regards to my TOTP codes, password manager, and WebAuthn hardware keys. This past year, I've supplemented this with biometric passkeys on Windows, Apple, and Android.
loeg 17 days ago [-]
Basically because 2FA is a useless nuisance when you've got unique high entropy passwords that can't be stuffed, and it's not a defense against your entire password corpus being leaked.
lazyeye 17 days ago [-]
When I upgrade my phone, I keep the old one as a backup and load the same OTP codes into the authenticator app on my new phone.
It is no problem to have OTP codes on multiple phones.
LorenzoGood 16 days ago [-]
I do it for some accounts where I don't care that much about having 2fa, but its forced, and its easier than getting SMS notifications.
notorandit 17 days ago [-]
You may say I am a dreamer, but I am not the only one!
Storing 2FA codes in your password manager is not a good idea at all in case you get it breached. Otherwise it could be a convenient idea.
If your password manager gets breached you could also loose control of your 2FA as it can be replaced as well.
We need to securely store our 2FA codes, sure. But I would advise not to use the "normal" password manager. I for use have them printed on paper.
gruez 17 days ago [-]
>A time-based 2FA (TOTP) is time-sensitive, and a man-in-the-middle or proxy needs to be set up to capture that in real-time
Is that supposed to be remotely difficult? It'll take maybe an hour to whip up a script that takes the captured credentials, passes it onto a headless browser to attempt the login, capture the session cookie, and optionally refresh the page regularly to keep the session active.
bsza 17 days ago [-]
Unless the page gives you a captcha before the TOTP, which it definitely should.
gruez 17 days ago [-]
None of my bank accounts use a login captcha. Presumably they mitigate bruteforcing using lockouts or similar. Even if they use captchas, captcha solving services exist that solve for less than a cent per solve. It's not a huge barrier.
dns_snek 17 days ago [-]
Modern captchas only deter humans, bots will pass right through.
yapyap 17 days ago [-]
cause the risk isnt in hackers hacking your password manager
Peterthomos 16 days ago [-]
[dead]
VoodooJuJu 17 days ago [-]
[dead]
ezfe 17 days ago [-]
TLDR: Account security is a balance and saving it in a password manager has more benefits than downsides
It's the same idea with using a password manager in the first place - if a password manager is going to be the thing that gets you to use secure passwords that vary across services, it's worth the tradeoff of having all of those passwords in one place, because you're much more likely to be compromised by a bad password than by a password manager leak.
At the very least, you SHOULD keep the 2FA credentials in a separate database (IE, keepassxc can keep multiple databases), so an attacker would need to double their efforts to get both parts of the login.
Hackers rarely break through the front door. They find a vulnerability elsewhere in the code, your OS, other programs on your computer, the companies servers, the companies staff, and so on. You have to have full faith not just in the encryption algorithm, but its implementation, everything and everyone around it and everywhere it operates and interacts with. Any one of these could be a route in.
Even if it's only random-ish, password managers do key stretching (for example by hashing the password 600k times - bitwarden has a high default value and lets you increase it if you like) so that it has to take some computational effort to check if a single password is correct. That's why it take a few seconds to unlock your vault each time.
With these in place I think you're pretty safe for a long time. (Well, maybe until quantum computing breaks those cyphers?)
That's not true. A long sentence of your choosing is easy to memorise and plenty long enough to not be able to be guessed by a computer (brute force).
\s
I'm sure German is not alone, but it is the only one I'm aware of - though with over 7000 known languages I doubt anyone knows enough to state anything with confidence.
But this is why I use security keys like yubikeys. Doesn’t matter if an attacker knows my main password for any number of reasons, there’s fuckall they can do with it without my physical key.
And even if they get into my vault and extract passwords, for many websites (in particular the most important ones) they’d still need to use my security key, they can’t just use the passwords.
Attacks are still possible (with browser session fuckery?) but much harder that yet another breach where a website was storing passwords in plaintext
Note, it’s best to not select “remember me” for Bitwarden: https://bitwarden.com/help/twostep-faqs/#q-why-is-bitwarden-...
I like, no I think it's simply a hard requirement, that I can recover from nothing but the contents of my head. I can wake up naked in a foreign country and regain everything.
There is literally no point to encryption if possession of the ciphertext is sufficient to extract the secret.
This is what I do for my keepass database. It means I can store my database in a cloud service of my choice for sync purposes too.
I use KeePass, never upgrade it, and only back it up to my own cold spinning drives. If malware stole my local vault I'd be in trouble, but it's more convenient than keeping my passwords on paper.
https://github.com/bitwarden
The reason for those losses was partially that LastPass was encrypting with extremely low iterations on long-standing accounts (it also may not have helped that they didn't encrypt URLs either). That was a terrible practice which isn't duplicated by credible alternatives.
As a matter of opinion you may still be right, though personally I consider the risks of a bad password to be higher than a leak purely because without a password manager making it simple to use long random passwords most do tend to be bad ones (duplicated/short/guessable/engineerable) as those are the only ones that are memorable.
It's the usual trade-off between security and usability, with the perfect being the enemy of the good, especially in regard to pushing less technical users to solutions which may not be ideal but are still much safer.
But why would it be better to use passkeys?
Because don't sites with passkeys generally still allow you to fall back to password, since it's common for people to lose their phone and then lose their passkey? Whereas sites with 2FA obviously don't, and have more complicated/secure recovery mechanisms?
So seems to me like 2FA (TOTP's) are currently vastly better in practice?
If an adversary can successfully phish someone, they can often also trick them into providing TOTP codes or approving push notifications. However, TOTP remains significantly better than the alternatives, as it prevents credential stuffing attacks and SMS-related compromises while potentially limiting any account breach to a single session.
I think you're missing the point I made -- that because of the way sites are currently set up, your password can be phished even if you have a passkey, and your password is good enough to get you in.
So given that that is the current state of things, isn't TOTP better because it prevents this? Because at least the TOTP won't let an adversary get in a second time.
Which service is it? Do they ever use that password?
If I were used to signing in with a passkey, I'd find a password prompt suspicious. While the average person might not, it's also possible they would have forgotten the password entirely. There are other services that force TOTP even with hardware keys enrolled. Technically they can be phished, but it would not be successful in all cases.
Unfortunately, varying behavior and support for multifactor protocols (along with risky reset flows) makes it hard to give blanket recommendations.
So ironically, your options would be your passkey, or your password+passkey/FIDO key (in 2FA mode).
Tokens that increase the trust level of an authentication come with additional controls (tamper resistant hardware, passcode, etc)
For normal people, a FIDO token delivers the highest level of security and integrity.
In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service. The phishing-resistance is nice, but I'd prefer it being the only credential, and just having it be autofilled (making it longer to combat bruteforce), like what we currently have with password managers...
Here's to hoping passkeys turn out any better.
Right. This is the killer features of passkeys.
Then again, I do this for accounts that I really care about, I just keep TOTP in my password manager for accounts that are not worth the effort.
I get their argument that 2FA makes phishing more difficult, but I disagree that it's its "primary use", or that the distributed factor is unimportant. I personally wouldn't feel comfortable having all my important accounts behind Bitwarden's single point of failure. 2FA for important accounts mitigates the damage if my Bitwarden is broken into.
TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.
In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.
If domain doesn't match, and you manually copy the password, and login, you can as well manually copy the 2FA code.
Yes, same with the password.
So it is not an advantage of 2FA.
I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?
> I'm curious though why you don't think TOTP or similar are good against credential stuffing though
I have written about this before, but looks like I lost the article somehow. https://web.archive.org/web/20210219185711/https://blog.cmpx...
Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.
That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.
A far better solution is unique passwords, it works today with all service providers.
A better approach would be to split in two solutions where you store passwords and 2fa keys.
I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.
The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.
A) Is fooled by a phishing attack
and
B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work
Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.
It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.
I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.
Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.
I think plenty of people will have second thoughts when the password doesn't go.
Any kind of experiment that doesn't involve 2FA at all is not relevant for this comparison.
Your argument about 2FA depends on how many of those people there are.
Therefore the anecdote is quite relevant, indirectly.
Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.
Not true anymore. [0]
[0]: https://www.theverge.com/2023/4/24/23696058/google-authentic...
https://security.googleblog.com/2023/04/google-authenticator...
The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.
[1] https://f-droid.org/en/packages/org.liberty.android.freeotpp...
Did you read the article? That's what they say.
> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.
No, that's not what they say. If you read the text that you just now quoted, you will see that it says "storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides". Clearly the writer of that text believes there _is_ something wrong with having 2FA completely separate from the password vault: it is less convenient, to the extent where they are happy recommending this horrible approach to laypersons.
In addition, if you go and read OP, you will find that they talk about the potential of losing access to your TOTP codes stored in Google Authenticator. So that's another thing that counts as "something wrong" with storing 2FA separately from password vault.
So there's at least 2 things in the article that count as "something wrong". So they definitely didn't say that there's "absolutely nothing wrong".
but that's literally what this is... the less convenient method (2FA) caused people to come up with workarounds (saving 2FA secrets in their password vaults)... and I'm saying it's horrible
The problem is that it requires a certain amount of good hygiene when it comes to computer equipment. There are many people who are bad with computers, who don’t have phone backups and lose their phone, who will share accounts and devices, and so on. The result is an insecure mess.
So, solving the “people should use a password manager” problem requires solving all the other issues surrounding how non-technical people use and misuse computer equipment, so that having a password manager and not losing the essential data stored in it becomes the default.
For some people, it would probably be safer and easier to write down your passwords on paper, in a notebook. Other people will lose the notebook, or have it stolen from them. There are similar but more complicated issues with holding onto computer devices.
If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.
This is a special requirement for Passwords that does not apply to other encrypted data in your Apple account.
If all of my 2FA code generators had been in 1Password I would have been truly screwed, but in a stroke of luck I had been paranoid enough to use a separate app for 2FA codes.
The lesson here is using granular permissions and sharing things selectively, more importantly never giving master access to anyone.
I know this happens sometimes, and I’m thankful my partnerships have never gone this bad. Did you know it was headed this direction before he tried it? Was that the end of the company?
I “won” in the end — the board fired him and appointed me CEO - but it destroyed the company.
And yes, I saw it coming, but was hoping I could control him until we found revenue and the pressure came off. This was illogical because people like that cannot find revenue.
I know this doesn't necessarily apply to smaller companies and startups, but have lawyers write you strong contracts that aren't one-sided, but are full of protections for both sides, if they aren't sabotaging stuff.
If you’re on a small team (~5 people) the person obsessed with access controls cannot be trusted.
If any journalists are lurking in this discussion, this would make a decent article.
1. While a password manager should associate a TOTP seed with a domain and only fill codes on that domain, the codes are still visible to you. A convincing phishing attack might trick you into manually entering a code into a fake page. Passkeys don't allow this.
2. TOTP codes are derived from a seed shared between the client and server, so an attacker who gets read access to the server's database could generate your codes. With passkeys, the server can only validate a signature, not generate them.
Sadly, for a far too large population of users, a convincing phishing attack will be successful, even if the tech. is flashing ten different warnings of "this is a phishing attack page" at the same time. You can't "technology" around human nature for a subset of the population.
I would bet there are some systems that accept a passkey in a situation that they don't accept a password.
If my device is compromised, along with my device's password, as well as the password manager's password, then yeah... I'm screwed.
As long as I keep my devices up-to-date though, I believe the highest risk comes from state-sponsored actors. I've chosen convenience, and I've made my peace with it.
They are often better than only using a password (merely due to the fact that most humans pick terrible passwords).
But using a password + 2FA generally is safer than passkeys. This is especially true if you use webauthn for 2FA, since now one of your factors is basically the passkey.
The time-variant component is still quite valuable, but it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution. By keeping your 2FA separate from your password manager, even if it's still just "something you know", it's something you know in a location that's orthogonal to your passwords. If I yield to convenience and use a 2FA desktop app, then now, instead of just attacking my Bitwarden install, you have to successfully attack my Bitwarden install and my 2FA desktop app install to get access to my accounts, and the combination of password managers * 2FA managers is a substantially larger attack surface and requires a significantly more sophisticated attack to get both pieces.
The arguments in the article come down to "well, 2FA mitigates phishing attacks" (true) and "Google Authenticator means you can lose your data easily" (also true). But neither of these is a good argument for why the data should be kept together. It just means "use 2FA", and "use a 2FA manager that lets you directly manage your seeds and keep offsite encrypted backups".
If you can't be bothered to do it properly, then 2FA codes in your password manager is certainly better than not using 2FA at all, but that just makes it a less terrible solution, not a good one.
On a related notes, "passkeys" are also "something you know" for the same reason.
However, that does not mean that TOTP codes are useless. Not all "something you know"s are created equal. However, I shamelessly put my TOTP codes into my password manager. Just because some people mistakenly identified it as "something you have" doesn't mean I need to pretend they are correct. It just inconveniences me for no security gain.
That's not a useful distinction and needlessly breaks an otherwise useful model. By that logic, every authentication method is just "something you know" since every piece of information can be represented as a stream of bits, and password managers are well equipped for storing it. That includes your face, fingerprint, and DNA.
For example, while I "know" my TOTP codes, it is relevant that they can not be memorized. While I "know" my passkeys, the differences in how that knowledge is interrogated is relevant. What isn't useful is modeling either of those things as "have" versus "know", because by putting them in my password manager, I have objectively broken them as a concept of "thing I have".
But people marry their models, so it'll be a while for this to get through our collective skulls. It looked so useful at first.
Yes, if you use a bad password manager that is fundamentally flawed (like LastPass) then all bets are off but that's not an argument against the principle of storing 2fa codes alongside passwords in a password manager.
I doubt there's a single Bitwarden user on earth who has ever suffered a security incident because they store their 2fa codes in Bitwarden, that's how inconsequential this risk is.
Passwords in the password manager are not "something you know" anymore. They are "something you have". So, no matter whether the TOTP codes are stored in the same app or a separate device, you can no longer properly call them 2FA. It's 2x "something you have" in either case.
EDIT: user "jerf" in the same comment thread says that it is 2x "something you know". The distinction whether something stored counts as "something you know" or "something you have" does not really matter. In either case, it is 2x the same type of a factor. --END EDIT.
From the "difficulty to compromise something" standpoint, you are, of course, right that storing the TOTP seed in a separate device is better. But look, this is not the primary reason why websites need to implement TOTP. The very fact that hackers need to compromise your device in order to get access to your account is already indicating a higher-than-usual security level, even without 2FA, and the article fails to notice this. Besides, the article only presents a user-centric viewpoint, while the viewpoint of a website owner would be more relevant here.
The main problem solved for real by TOTP is that users select stupid passwords like "Zhong+wen" that are guessable yet still pass complexity requirements, or reuse passwords on multiple websites (and your website cannot check for that), thus enabling compromise of the user's account on your website if another website gets hacked.
The main security reason (from the website viewpoint, not from the user's viewpoint) for TOTP introduction is, thus, to introduce a high-entropy factor which is (unlike a password) not chosen by the user, guaranteed not to be reused elsewhere, and thus cannot be guessed or compromised without access to the user's devices. This benefit is not invalidated by you storing the 2FA secret in the password manager.
People often skip out on actually assuming responsibility for their data and accounts. A backup system should be in place and ensuring their 2FA codes are not lost with their device is part of that taking on responsibility.
People take the path of least resistance; we know this. It's why, for the longest time, people used one password for everything. People don't like using password managers, either, but we would all agree that it's unacceptably insecure to not use them, because the alternative is "one password used everywhere, maybe with a single varying digit on the end".
If you remove the ability to store 2FA codes in password managers, the path of least resistance becomes "people don't use 2FA at all".
A great expanse of users (note, not normally the ones who frequent HN) see all these 2FA codes, and passwords as well, as just an irritating impediment to accomplishing whatever goal it is they wish to accomplish at the time.
You can mitigate this risk by not depending on your password manager app to do cross-device sync..keep a file on Dropbox/OneDrive/iCloud Drive/SFTP/etc and use an app like KeePass/Strongbox/etc that just deals in managing credentials.
My KeePass file storage provider doesn't know what the hell I store there because it's encrypted (I hope there are no known issues with KeePass's crypto)
As a bonus, you can keep offline backups to mitigate other risks like house fire, lightning strike induced EMP frying things (happened to me), storage vendor goes out of business, and more.
-------------
I think in the end, there is no universal solution - you really have to try to be reasonable about estimating your own personal threats and risks (such as asking "am I more likely to suffer a password manager compromise or more likely to break a device?") to decide whether to keep 2FA next to passwords or not.
The argument is "because many people, if they can't keep the data together, will elect not to use 2FA at all if given a choice."
Any decent password manager would avoid autocompleting the password on the wrong domain in the first place. I.e.: it will already protect against phishing attacks anyway.
1Password's documentation use to have a whole article about how bad an idea it was to store TOTP in a password manager — but their stance completely changed at some point. Around the same time they started _recommending_ that you do so, and presented it as a key feature in the marketing material.
---
Personally, I think that the only valid reason to store a TOTP secret in password manger is when you don't really care too much about an account (e.g.: prefer convenience over security), but the website demands that I set up 2FA.
https://1password.community/discussion/comment/496555
If someone has my password and my device how will a separate app help me in this case?
Honest question as the 1password model seems to be “something you know and something you have”.
A "2FA Mule"[1] solves this problem by staying in one place with constant power.
I receive plain old SMS 2FA codes while flying in an airplane.
I also don't care that much if I lose or destroy my personal mobile. In fact, I don't even know my current SIM number. If I lose my personal mobile I just edit a twiml bin at Twilio and point my number somewhere else ...
[1] https://kozubik.com/items/2famule/
There's lots of cases where 2FA reduces to 1FA. E.g. logging into a website on your mobile phone, and getting your TOTP or SMS code on that same phone. In fact-- that case is so common I wonder if we should just get more used to the idea of 1FA, with smartphone passkeys/biometrics/SSO being the auth factor. As it stands, if you compromise someone's smartphone (and have their smartphone PIN), the odds are great you can autofill any password you like on their phone and pull up any needed 2FA tokens as well.
1. The key is generated by the server, not the client (human), so it cannot be reused like a password.
2. The authentication is temporally bound, so phishing only offers access for ~30 seconds, unlike a password where it provides unlimited access until someone changes it (never unless forced in practice).
3. It's literally required for many services, so you need to use it. The alternatives to storing your secrets in your password manager are keeping them on your phone (which is how most people log in anyway, so its already becoming a single point of failure) or using something like SMS 2FA, which is even worse as SIM jacking is pretty trivially possible on most providers.
Backing up TOTP seeds encrypted is a good idea if you know what you’re doing.
It is a security-improving move when humans are factored in, not a trade-off between security and convenience.
Currently, bitwarden stores these encrypted, but they are unlocked with the rest of the password manager.
For now I'll stick to yubikey for 2FA.
But I wish I could use bitwarden as a layer of abstraction, such that bitwarden would always require my yubikey before allowing any of the passkeys or totp keys to be used.
I wonder why service providers don't have it already. They could even help ensuring that the passwords are different and provide some interoperability between both vaults (e.g. TOTP on mobile device is passed to PC password completions)
Or, when the author says “save the 2FA code” does he really mean “use the password manager to generate the 2FA codes”?
In the early days of MFA that thing meant a cellphone because it was SMS by default, but yeah, a laptop or computer of any kind is a "thing you have" as well.
https://github.com/kardianos/safekeysheet
It could be modified to also print out the otp as well if stored.
It does require some thought / hygiene but seems a fair compromise.
Storing 2FA codes in your password manager is not a good idea at all in case you get it breached. Otherwise it could be a convenient idea.
If your password manager gets breached you could also loose control of your 2FA as it can be replaced as well.
We need to securely store our 2FA codes, sure. But I would advise not to use the "normal" password manager. I for use have them printed on paper.
Is that supposed to be remotely difficult? It'll take maybe an hour to whip up a script that takes the captured credentials, passes it onto a headless browser to attempt the login, capture the session cookie, and optionally refresh the page regularly to keep the session active.