Modern login systems require a second factor (2FA) to log in, in addition to the standard username and password combination. A Time-based one-time password (TOTP) as a 6-digit number is often used. Password managers like 1Password, KeePass (or respective forks) and others offer the ability to store (and generate) the 2FA TOTP.
For a long time, I was asking myself:
Why is it recommended to have a Username, Password, and 2FA in the same storage (like 1Password)? Isn’t this against the basic idea of a second factor (regarding the storage places to gain access to)?
Or differently:
Is storing 2FA codes (for GitHub, Okta, etc.) in 1Password next to the username/password combination preferred? If yes, why?
Luckily enough, I had the opportunity to work with people who know their Security topic very well. So, I just asked them ⬇️
Antti Kurittu responded:
The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks. A time-based 2FA (TOTP) is time-sensitive, and a man-in-the-middle or proxy needs to be set up to capture that in real-time. Using 2FA with any provider or storage method protects against most phishing attacks seen in the wild.
1Password allows storing this token alongside your username and password. This is a convenient feature that is meant to make using 2FA easier. It is marginally less safe because the 2FA token is accessible to the attacker if they successfully compromise your password manager. Still, it does not remove the main benefit of using 2FA in the first place, which is neutering most phishing attacks. The 2FA token will still be required when the attacker tries to access your account.
The fact that 1Password offers to fill passwords based on domain name protects your account because a lookalike domain or an entirely fraudulent domain will not prompt 1Password to offer auto-filling but will require copy-pasting credentials from the app to the harmful website. If you see an autofill prompt, 1Password has associated those credentials with the website you’re accessing, including the 2FA prompt.
For maximum security, you can store your 2FA token elsewhere, like a YubiKey (see Yubico Authenticator) or Google Authenticator, and keep the recovery codes safe somewhere outside your computer, but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.
Jamie Arlen added furthermore:
There’s also the very simple view that backs the entire point of password managers: “Keeping your cryptographic keys safe is a seriously difficult problem to solve”. Centralizing them has a couple of downsides, but if you do a threat model and balance the unmitigated risks, using (for example) Google Authenticator to store your TOTP codes is significantly more likely to result in negative outcomes. The codes are only stored on the one easily lost/dropped/broken device. With 1Password, you’ve got access to them across all of your devices.
The pattern I use (and prefer both professionally and personally) is:
- Extensive use of password manager (I use 1Password) and not browser or operating system-based password storage. This requires active curation of the profiles for the various usernames/passwords I have.
- Store all (except two) TOTP codes and screenshots of recovery keys in 1Password
- Additionally, store recovery keys for personal use in an encrypted drive replicated through iCloud/OneDrive/Google Drive and to a private share located at a family member’s house with a separate memorable 32-character passphrase.
- 2 TOTP codes are not stored in 1Password.
- 1Password’s own TOTP code
- The TOTP code to my “account signup email” address
- These codes are stored on a set of three Yubikeys - one in my Every Day Carry (EDC), one in a safe place at home, and one in my bug-out bag. The recovery codes and initiation vectors for these are also in hardcopy with other important papers in a safety deposit box at the bank.
It’s pretty secure, but most importantly, it’s a very usable system. The usability is what makes it so important. Much like the phrase “the best camera in the world is the one you have with you,” - the best password manager is the one that you actually use, and convenience will make it important.
Thanks a lot, Antti and Jamie.