1Password and 2FA: Is it wrong to store passwords and one-time codes together? (2023)

These are the main threat models to be aware of:

1. Credential phishing. Where you store your TOTP secret doesn't matter.

2. OAuth phishing. Where you store your TOTP secret doesn't matter. (This also runs right through FIDO and has been growing in popularity for about a decade now: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-ab...)

3. Data breaches. Where you store your TOTP secret doesn't matter unless your password manager backs up online, that's what gets breached, and the data isn't properly encrypted. Which has happened.

4. Malware. Where you store your TOTP secret matters. This is why U2F and FIDO2 have a user presence test, but the real-world value here is overstated. Malware can always just steal your tokens.

5. Physical access. Where you store your TOTP secret matters. If you care about security though you'll have other measures in place to keep someone with physical access out, which is enough against basically anyone except governments.

Summary: A "true" second factor doesn't really matter. What matters is deciding which scenarios you care about and making sure you have security you'll actually use given those constraints.

> For the majority of people, storing TOTP in 1Password is well within their risk tolerance. There will always be those of you who will trade that convenience because you want or require the added protection of true 2FA. And to those faithful hardware key crew members: Think of your true second factor as less “extra layer of security,” and more granular protection that will apply only if you’re subject to certain forms of attack.

this is the crux really. Especially when a web based password manager is in use [0], this is not at all within risk tolerance for people really striving for a long-term threat model which they do not need to revisit every couple of years.

Buying multiple hardware tokens and keeping one authenticator/TOTP app on phone is very practical the best you can do and it is secure, loss-proof and will last for a long time. Most services allow you to add multiple types of 2FA devices.

0. https://lock.cmpxchg8b.com/passmgrs.html

Multifactor Authentication is having at least two of the following:

* Something you know (such as a password)

* Something you have (security key, TOTP generator)

* Someone you are (biometrics, fingerprint/face id)

* Somewhere you are (network or geolocation)

Using a password manager app and TOTP generator app on the same phone is clearly a single point of failure and does not add meaningfully to your security compared to just storing the TOTP in the password manager. If your device is compromised the attacker has control of both apps potentially, and very likely the TOTP app does not require an additional password or factor. And unless you use a FIDO2 device for MFA, TOTP is not phishing resistant. You can mitigate these issues though.

However, if you require a specific device to access the password manager by one of the following methods:

* Offline password manager such as KeepassXC (needing the password database file)

* Needing a keyfile (like with KeepassXC or 1Password’s device key)

* Needing to be on a specific network such as VPN (when using a self-hosted password manager like Bitwarden and configuring the firewall to be limited to a wireguard network for example)

Does this count as an additional possession factor or location factor? And if it counts as a possession factor does it meaningfully increase your security posture to have multiple possession factors beyond a FIDO2 key?

Everyone is talking about threat models but like the actual use case here is some web service that doesn’t matter very much that you use sometimes and if it was compromised that wouldn’t matter either but they make you use some fucking login scheme that adds extra time to your day. Or even more accurately they insist on you using their own proprietary mobile app to get a code which really only exists to track you and make trouble when you log in from a different city or have a VA log in for you, spawning a call from them to try to insist on you buying extra licenses so you find the fine print link that lets you use a TOTP instead and get a few minutes of your life back every time as well as their useless fucking app off your iPhone.

As is often the case in this discussion, the die hard security people will quote the definition of “true” multi-factor with the standard “at least two of something you ____”, but this level of security isn’t needed for most sites.

I find it helpful to think of most “2-step” logins as simply an extension of passwords (one-factor), plus an admission that both users and web sites/apps are completely incapable of following the rules of password management. Users can’t stop reusing passwords, and web sites can’t properly store them and avoid getting hacked.

2 step logins are a method to force users to use a password that changes every 30 seconds, and that password is unique per web site/app. It shouldn’t be seen as a true multi-factor in the traditional sense.

It is really a bad article. Instead of making things easy to understand it makes things more complex.

Factors are : Knowledge (password), Inherence (biometrics) & Possession (device).

If you have multiple same factor it remains single factor.

1password itself is only one factor for authentication whatever they offer (password, totp, passkey).

Say, I want to go the extra mile of not storing them together. What would I have to do?

- Both in same password manager is obviously storing together.

- Both on same phone, but different apps. There are the subvariants of: password manager and dedicated OTP app or two different password managers. Also there is the consideration where the apps really store the secret data, e.g. system provided vault

- OTP on a separate device

I think the middle option has too many ifs and buts and you could argue that as long as its the same device it's not really separate.

So dedicated OTP token. What should I use?

Cheap mobile phone? Does it need a SIM? Are there dedicated devices? Can they store multiple keys?

How much we care about trying as users to keep our accounts secure, the websites aren’t that good to keep our data secure. How many data breaches we had in last 5 years that affected all of us. I feel like at least a few affected me.

So in that case storing OTP with passwords or don’t does not matter.