You are better off security-wise with 2FA enabled than without it (for the phishing-related reasons mentioned in TFA - EDIT: taviso is correct in their comment, it's more about protection against credential stuffing than phishing), regardless of where you put the codes, so if being able to put the codes in your password manager is going to be the difference-maker in someone electing to use 2FA, they should do it.
It's the same idea with using a password manager in the first place - if a password manager is going to be the thing that gets you to use secure passwords that vary across services, it's worth the tradeoff of having all of those passwords in one place, because you're much more likely to be compromised by a bad password than by a password manager leak.
The risk is that if your password manager's database is stolen, then an attacker can do an offline decryption attack on it, and should they succeed, they have both parts of the login to compromise you.
At the very least, you SHOULD keep the 2FA credentials in a separate database (IE, keepassxc can keep multiple databases), so an attacker would need to double their efforts to get both parts of the login.
Are there any reasonable attacks against AES-GCM-256 where the key is a mix of a randomly generated 128-bit key and a password? If not then I have no concerns about an attacker cracking my 1Password database.
The threat model of password managers and encryption as a whole assumes that the adversary has the ciphertext. If the adversary can decrypt it, then the encryption algorithm is fundamentally broken.
There is literally no point to encryption if possession of the ciphertext is sufficient to extract the secret.
After seeing people lose cryptocurrency first hand through the LastPass leaks (hot wallet seed phrases, which is still stupid to have online but..), I really feel like the odds of a leak being the cause of any issues higher than a bad password, for tech savvy security conscious users at least.
Wasn't that because they had backed up their password vaults to LastPass' cloud service?
I use KeePass, never upgrade it, and only back it up to my own cold spinning drives. If malware stole my local vault I'd be in trouble, but it's more convenient than keeping my passwords on paper.
Part of why I avoid password managers that use their own cloud system. Storing my vault in a regular cloud database, not a password-specific one, to me makes it much less likely my vault will be compromised.
> After seeing people lose cryptocurrency first hand through the LastPass leaks
The reason for those losses was partially that LastPass was encrypting with extremely low iterations on long-standing accounts (it also may not have helped that they didn't encrypt URLs either). That was a terrible practice which isn't duplicated by credible alternatives.
As a matter of opinion you may still be right, though personally I consider the risks of a bad password to be higher than a leak purely because without a password manager making it simple to use long random passwords most do tend to be bad ones (duplicated/short/guessable/engineerable) as those are the only ones that are memorable.
It's the usual trade-off between security and usability, with the perfect being the enemy of the good, especially in regard to pushing less technical users to solutions which may not be ideal but are still much safer.
Because don't sites with passkeys generally still allow you to fall back to password, since it's common for people to lose their phone and then lose their passkey? Whereas sites with 2FA obviously don't, and have more complicated/secure recovery mechanisms?
So seems to me like 2FA (TOTP's) are currently vastly better in practice?
How many places is generally irrelevant. If a system requires user to provide 2 factors to authenticate, it is 2FA. A password manager software itself should be no exception.
If the vault requires a hardware key and master password to access the encrypted password and token, would you still describe it as single-factor authentication?
TOTP tokens aren’t really MFA anyway. They are just another type of password that is more protecting against bad password practices and other compromises. They deliver multi-step auth.
Tokens that increase the trust level of an authentication come with additional controls (tamper resistant hardware, passcode, etc)
For normal people, a FIDO token delivers the highest level of security and integrity.
The reason I store 2FA codes in my password manager is as a protest to companies forcing me to have a 2FA. I don't want to be randomly locked out of my google account due to not having a usable 2FA, and I also don't want to depend on having a single device be always available to provide the codes.
In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service. The phishing-resistance is nice, but I'd prefer it being the only credential, and just having it be autofilled (making it longer to combat bruteforce), like what we currently have with password managers...
Yes, my point of view is that using a password manager with unique and strong passwords everywhere is bringing most of the benefits you get with TOTP, and then you can have TOTP for compliance with security policy only.
Passkeys are a shitshow at the moment, I store passkeys in my password manager along with 2fa codes as it is the only way to make them reasonably usable. And obviously the only other way to manage passkeys is to rely either on a single device, trust big corps and vendor lock in, or to have multiple passkeys on multiple devices/services for the same sites/accounts.
I store 2FA keys in a fingerprint protected Aegis vault on my phone, and I periodically export an encrypted (with a master password I remember) backup that I then email to my parents.
I get their argument that 2FA makes phishing more difficult, but I disagree that it's its "primary use", or that the distributed factor is unimportant. I personally wouldn't feel comfortable having all my important accounts behind Bitwarden's single point of failure. 2FA for important accounts mitigates the damage if my Bitwarden is broken into.
I'm not familiar with the expert they consulted, but the claim that "The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks" is just plain false.
TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.
In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.
The point here, I believe, is that 1Password will only prompt you to enter the 2FA code if the domains match, same with the password. Your point that if you've already decided to enter your password then entering the 2FA code isn't much of a hurdle is sound, but from the perspective of a user of 1Password, it is indeed very surprising (and rare!) when I try to log in to a page and find that 1Password won't show my log in because the domains don't match. It happens, usually due to some cross-origin login flow, but it's rare. So I think the claim isn't false, it's just based on a premise that might not factor in for different people.
If domain doesn't match, password manager of choice will not suggest to populate credentials. In that case it doesn't matter if 2FA is saved by the password manager, or is managed on another device, because you won't have the chance to use the 2FA.
If domain doesn't match, and you manually copy the password, and login, you can as well manually copy the 2FA code.
I think their point was that it's less phishable from the perspective of needing the attacker to try logging into the site with it in realtime instead of being able to just store the password for some later time. The needed concurrency makes it more difficult (if only slightly).
I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?
Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.
That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.
A far better solution is unique passwords, it works today with all service providers.
It's better than not having 2fa, but a breach to your password manager would give any attacker full control over your accounts.
A better approach would be to split in two solutions where you store passwords and 2fa keys.
I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.
The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.
Similar - I use Bitwarden for passwords and Authy for 2FA so a compromise of only one of them is not a disaster (assuming a site supports 2FA which my important ones largely do).
Authy is nice because it takes care of replication, but once you have all your devices synced I'd disable adding new devices, otherwise it'll expose your 2fa in case of SIM card breaches
I disagree with the experts here. There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault. At best, this is a lateral security trade-off that you are paying them to provide. View the 2FA feature from a software marketing and sales lens. Can you see how it's just feature creep, driven by competition doing the exact same thing?
Same here. It seems like they are very narrowly optimizing for the extremely rare case of a person who simultaneously:
A) Is fooled by a phishing attack
and
B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work
Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.
It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.
In my previous company we hired a startup that did security training, that recommanded everyone use a password manager. And one of their test was that they sent a fake phishing email to people (randomized over a couple of months so not everyone would get it the same day).
I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.
Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.
The most common 2FA mobile app that isn’t a password manager is Google Authenticator.
Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.
> Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
FreeOTP+, available on FDroid [1] provides for import/export of one's stored codes.
The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.
For Google Authenticator, you can do an export for device migration. Once it shows the QR code image, snap it and then abort the migration. Back up the QR code for later restoration.
> There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault.
Did you read the article? That's what they say.
> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.
No, that's not what they say. If you read the text that you just now quoted, you will see that it says "storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides". Clearly the writer of that text believes there _is_ something wrong with having 2FA completely separate from the password vault: it is less convenient, to the extent where they are happy recommending this horrible approach to laypersons.
In addition, if you go and read OP, you will find that they talk about the potential of losing access to your TOTP codes stored in Google Authenticator. So that's another thing that counts as "something wrong" with storing 2FA separately from password vault.
So there's at least 2 things in the article that count as "something wrong". So they definitely didn't say that there's "absolutely nothing wrong".
More generally: the world would be a better place if most people relied on password managers. If you can do it reliably, using any password manager, even the one built into your browser or OS, is better than not using one.
The problem is that it requires a certain amount of good hygiene when it comes to computer equipment. There are many people who are bad with computers, who don’t have phone backups and lose their phone, who will share accounts and devices, and so on. The result is an insecure mess.
So, solving the “people should use a password manager” problem requires solving all the other issues surrounding how non-technical people use and misuse computer equipment, so that having a password manager and not losing the essential data stored in it becomes the default.
For some people, it would probably be safer and easier to write down your passwords on paper, in a notebook. Other people will lose the notebook, or have it stolen from them. There are similar but more complicated issues with holding onto computer devices.
For people who are bad with computers, I think passkeys could work ok in scenario where somebody has just one device, they never upgrade it, never lose it, never break it, never accidentally click on "log out" in their passkey provider's account.
Important to note that not all password managers are equal. Using Apple’s built-in password manager is more secure because it is inherently tied to your biometrics and authentication is hardware-based, i.e Secure Enclave. This is categorically different from web services like Bitwarden or 1Password authenticated by login email and 2FA codes. Even if someone got into your Apple ID they still would be unable to view or sync your passwords without biometrics.
Absolutely the opposite. Using Apple's built in one is less secure because it is within the ecosystem that you are subject to; if you are locked out of said ecosystem, you are locked out of everything. Password managers should never ever be inside your ecosystem. That is why people often manage the database syncing themselves and relying on the database own strength, eg kdbx.
To insure against being locked out of my Apple ID I simply export and store my own backups periodically. Good idea regardless of which provider you use.
If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.
If someone knows your username and password and can convince you to give them a TOTP code, then yeah they can log in to your account. That’s hardly iCloud-specific.
Nope. Check the Apple documentation, that’s not how it works. Even if Mallory gets your Apple ID and 2FA code you still need biometrics from a nearby device to initiate password sync.
This is a special requirement for Passwords that does not apply to other encrypted data in your Apple account.
Readit News
It's the same idea with using a password manager in the first place - if a password manager is going to be the thing that gets you to use secure passwords that vary across services, it's worth the tradeoff of having all of those passwords in one place, because you're much more likely to be compromised by a bad password than by a password manager leak.
At the very least, you SHOULD keep the 2FA credentials in a separate database (IE, keepassxc can keep multiple databases), so an attacker would need to double their efforts to get both parts of the login.
There is literally no point to encryption if possession of the ciphertext is sufficient to extract the secret.
This is what I do for my keepass database. It means I can store my database in a cloud service of my choice for sync purposes too.
I use KeePass, never upgrade it, and only back it up to my own cold spinning drives. If malware stole my local vault I'd be in trouble, but it's more convenient than keeping my passwords on paper.
The reason for those losses was partially that LastPass was encrypting with extremely low iterations on long-standing accounts (it also may not have helped that they didn't encrypt URLs either). That was a terrible practice which isn't duplicated by credible alternatives.
As a matter of opinion you may still be right, though personally I consider the risks of a bad password to be higher than a leak purely because without a password manager making it simple to use long random passwords most do tend to be bad ones (duplicated/short/guessable/engineerable) as those are the only ones that are memorable.
It's the usual trade-off between security and usability, with the perfect being the enemy of the good, especially in regard to pushing less technical users to solutions which may not be ideal but are still much safer.
But why would it be better to use passkeys?
Because don't sites with passkeys generally still allow you to fall back to password, since it's common for people to lose their phone and then lose their passkey? Whereas sites with 2FA obviously don't, and have more complicated/secure recovery mechanisms?
So seems to me like 2FA (TOTP's) are currently vastly better in practice?
Tokens that increase the trust level of an authentication come with additional controls (tamper resistant hardware, passcode, etc)
For normal people, a FIDO token delivers the highest level of security and integrity.
In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service. The phishing-resistance is nice, but I'd prefer it being the only credential, and just having it be autofilled (making it longer to combat bruteforce), like what we currently have with password managers...
Here's to hoping passkeys turn out any better.
Right. This is the killer features of passkeys.
Then again, I do this for accounts that I really care about, I just keep TOTP in my password manager for accounts that are not worth the effort.
I get their argument that 2FA makes phishing more difficult, but I disagree that it's its "primary use", or that the distributed factor is unimportant. I personally wouldn't feel comfortable having all my important accounts behind Bitwarden's single point of failure. 2FA for important accounts mitigates the damage if my Bitwarden is broken into.
TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.
In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.
If domain doesn't match, and you manually copy the password, and login, you can as well manually copy the 2FA code.
Yes, same with the password.
So it is not an advantage of 2FA.
I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?
> I'm curious though why you don't think TOTP or similar are good against credential stuffing though
I have written about this before, but looks like I lost the article somehow. https://web.archive.org/web/20210219185711/https://blog.cmpx...
Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.
That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.
A far better solution is unique passwords, it works today with all service providers.
A better approach would be to split in two solutions where you store passwords and 2fa keys.
I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.
The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.
A) Is fooled by a phishing attack
and
B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work
Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.
It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.
I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.
Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.
Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.
Not true anymore. [0]
[0]: https://www.theverge.com/2023/4/24/23696058/google-authentic...
https://security.googleblog.com/2023/04/google-authenticator...
The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.
[1] https://f-droid.org/en/packages/org.liberty.android.freeotpp...
Did you read the article? That's what they say.
> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.
No, that's not what they say. If you read the text that you just now quoted, you will see that it says "storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides". Clearly the writer of that text believes there _is_ something wrong with having 2FA completely separate from the password vault: it is less convenient, to the extent where they are happy recommending this horrible approach to laypersons.
In addition, if you go and read OP, you will find that they talk about the potential of losing access to your TOTP codes stored in Google Authenticator. So that's another thing that counts as "something wrong" with storing 2FA separately from password vault.
So there's at least 2 things in the article that count as "something wrong". So they definitely didn't say that there's "absolutely nothing wrong".
The problem is that it requires a certain amount of good hygiene when it comes to computer equipment. There are many people who are bad with computers, who don’t have phone backups and lose their phone, who will share accounts and devices, and so on. The result is an insecure mess.
So, solving the “people should use a password manager” problem requires solving all the other issues surrounding how non-technical people use and misuse computer equipment, so that having a password manager and not losing the essential data stored in it becomes the default.
For some people, it would probably be safer and easier to write down your passwords on paper, in a notebook. Other people will lose the notebook, or have it stolen from them. There are similar but more complicated issues with holding onto computer devices.
If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.
This is a special requirement for Passwords that does not apply to other encrypted data in your Apple account.