There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.
I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."
The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV
I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):
> I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.
If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.
I see three levels we've discussed:
1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)
2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)
3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)
If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.
> Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
My thumbprint isn't stored on my phone, so I have two factors.
From the PCI Security Standards supplement on MFA,
> The issue with authentication credentials embedded into the device is a potential loss of independence between factors—i.e., physical possession of the device can grant access to a secret (something you know) as well as a token (something you have) such as the device itself, or a certificate or software token stored or generated on the device. As such, independence of authentication factors is often accomplished through physical separation of the factors; however, highly robust and isolated execution environments (such as a Trusted Execution Environment [TEE], Secure Element [SE], and Trusted Platform Module [TPM]) may also be able to meet the independence requirements.
So your phone can constitute a token, while the biometric constitutes the second factor. I don't know about Apple phones, but Google's requirements for biometrics are:
> Capturing and recognizing your fingerprint must happen in a secure part of the hardware known as a Trusted Execution Environment (TEE).
> Hardware access must be limited to the TEE and protected by an SELinux policy.
> Fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.
I think you misunderstood me. I agree that biometric plus password or device key would constitute two factors. I perhaps believe that you can’t really trust the device to have performed biometric verification without some sort of software attestation. So if the security if your protocol depends on two factor, you’d need to yes have a biometric signature or remote attestation that a biometric check has been performed.
That's a pretty user-hostile attitude. Sure, some combinations of factors are pretty unergonomic, but I'd call that a bug, not a feature.
It's also incorrectly suggesting that somehow complexity/painful usability automatically yields security, while usually the opposite is true:
An effective secure authentication solution absolutely must consider usability, or it's doomed to be circumvented by users in one way or another (either via some insecure practice, or by your users simply ceasing to be your users).
This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side,
which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.
It does obviously not protect against the scenario where someone is breaking into your password vault.
I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.
> TOTP is trivially phishable . . . via social engineering
Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial.
I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished.
That's great for you, but also a sample size of one (probably technically sophisticated) user, i.e. irrelevant to the bigger picture.
The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.
But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.
Indeed, when that's the case I think the PW manager is fine.
Though, if you already have to have an app for the important stuff like your email, then IMHO it's actually simpler to just keep them all in one place even if you don't care too much about some of the tokens. Just one less thing you have to remember (i.e. where did I put service X's token again? was that in bitwarden or Aegis? etc).
It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
That list makes for a nice slidedeck but the separation (like many things in tech) isn't as clear cut as the metaphor.
"Something you know" (password) becomes "something you have" as soon as you store/autogenerate/rotate those passwords in a manager (which is highly recommended).
"Something you have" in the form of a hw key is still that device generating a key (password) that device/browser APIs convey to the service in the same way as any other password.
"Something you are" is a bit different due to the algorithms used to match biometric IDs but given that matching is less secure than cryptographic hash functions - this factor is only included in the list for convenience reasons.
The breakdown of this metaphor is one of the reasons passkeys are seen as a good thing.
Not sure what you mean, it's still a second unique token that an attacker would need to know to access my account, so it's improving my security even when stored in my password manager. This was in response to grandparent's opinion that it's "at best a reduction in security".
I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
> I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
But that's the whole point. If your password vault is breached, the second factor is what prevents you from being fucked. That's why putting your seeds in the vault is a reduction in security. It may be a reduction/risk that you're willing to take for convenience, but it's still a reduction.
Aegis is no more secure than storing your TOTPs in your password manager - 2 factors primarily protect against remote attacks, which don't have direct access, in which case the app your 2nd factor lives in is moot. If your threat model involves direct access you need dedicated hardware for your 2nd factor. Most people are fine with TOTP in pw manager.
(I do use Aegis as I like the UX but that's a separate topic)
No, factors are supposed to have different qualities, such as:
"Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".
Passwords are in your head - "something you know".
TOTP codes are generated by a hardware token - "something you have".
If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.
Actually, they are pretty much split up. To get access to my passwords and TOTP secrets, the attacker needs one of my devices (something I have) and its password (something I know) or my face/fingerprint (something I am).
The whole point of a fully featured password manager like 1Password or Bitwarden is to rely on it instead of the security of the service you're using. And that implies that you must trust the security of the vault itself.
Of course, each device you have is an additional (an equally dangerous) attack surface. However, most people should be more worried if someone hacks into their devices than their Facebook accounts anyway.
2FA via TOTP implies two things: 1) you know a password; 2) you know the seed. This is why people criticize that approach. In practice, knowing a password and having a file (seed) seem different enough, and work against some phishing threats.
Logging in through a password manager requires that you know a password (your master password), and have a file (your vault).
I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
Not really — I do it just for peace of mind, TBH. Although your primary password could be cracked somehow, so it doesn't hurt to have this additional layer.
Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
Especially keeping passkeys platform-independent is a huge advantage, in my view.