@jonah maybe this is to general for this topic so feel free to move.
But let me ask why use a different tool for 2FA and password syncing? I personally keep my 2FA offline on my phone and backup phone on Aegis or/and Yubikeys (+backups) but if I would think the convience is worth it I personally honestly think it is okay to use 2FA inside bitwarden/protonpass/1password. It is surely not as well secured as offline elsewhere, but I deem the risk not that high.
1 Like
Well, consider the fact that you need to secure your password manager with 2FA, you can’t really store that 2FA code in your password manager.
There are benefits to storing TOTP codes in your password manager (compared to not using MFA at all), but your security is still reduced because to access your accounts you now only need a single factor: your password manager.
2 Likes
Right I skipped over the option of only using yubikey for password manager. But that’s not possible for proton already so that’s a valid point
As long as you only use properly secured OSs with mandatory sandboxing like Android, iOS and ChromeOS, the difference in security should be negligible. But if you use Windows or Linux, it would be better to just leave the 2FA codes on your smartphone and not have them accessible on these OSs.
1 Like
My point is more that if you have a 2FA app “solely for your password manager” already anyways, then why not just use it in general?
But indeed the whole point is that you have to actually have to open your phone once in a while, your codes shouldn’t be everywhere. If that’s too inconvenient for you then it’s fine, but you just have to know that it is objectively less secure to have your 2FA codes synced to the cloud and all your devices instead of being locally stored on your phone. Make any decision you want, as long as it’s an informed decision.
4 Likes
Totally agree.
not an ideal solution but I’ve created a new bitwarden account for 2fa. planning to use proton pass for passwords + bitwarden for 2fa. -will keep my main bitwarden account as a backup-
This makes no sense to me.
I understand, and agree with the broader point you are making (about the tradeoffs inherent to colocating passwords and 2fa in one place, and that it is still a huge improvement over 1fa), but I think that how you worded it can give the wrong impression, specifically:
but your security is still reduced because to access your accounts you now only need a single factor.
Technically, as you noted, there is a single point of failure/vulnerability, your Password manager vault. However, that single point of failure, is itself protected by 2fa, and the accounts it is protecting are also protected with 2fa.
If someone gains access to your unencrypted vault, it is true that they’ve gained access to both factors, but to do so, they would already have to have either defeated or sidestepped your password manager’s 2fa.
Having truly separate 2fa is superior from a security standpoint. But I think the likelihood of encountering an adversary capable or lucky enough to get past both factors protecting your vault, but simultaneously not capable of bypassing your other 2fa’s are relatively low.
In my eyes, it comes down to whether one’s threat model assumes their vault will be breached or not. If that is part of your threat model, you shouldn’t store important 2fa’s in the vault, but if this is part of your threat model, you also shouldn’t store banking or cc info, recovery codes, answers to secret questions, cryptocurrency seed phrases, sensitive ID’s, or sensitive secure notes in the vault either. For me and my threat model, I choose to focus more of my effort on protecting the vault itself. But I also recognize for many people the added peace of mind of having truly separate 2fa is more important than the benefits of storing 2fa in the pwm.
2 Likes
Here is how I think about this:
- Any form of 2fa is vastly superior to 1fa
- Truly separate TOTP is meaningfully superior to TOTP stored in your password manager, but in the real world, the improvement is real but marginal
In almost all real world scenarios either both ways or neither way of storing TOTP secrets would protect you depending on the scenario. There are very few common real world scenarios where one form would protect you and the other would not.
- An example of a scenario where neither form can protect you is the lastpass breach, encrypted vaults were stolen, and can be brute forced, 2fa is not a factor, the sole thing protecting you is the strength of your master password.
- An example of a scenario where both forms would be basically any scenario where one of your account passwords is compromised or becomes known to an adversary. In that case 2fa would protect the account regardless of whether
- The only case where storing your 2fa secrets separately has an advantage is in a scenario where your password manager vault is breached (meaning the adversary either defeated or sidestepped your master pass and your vaults 2fa). This is a real consideration, but far from the most likely threat most people face. And any adversary that does this has already shown they are capable of defeating what should be a very strong password, and your strongest form of 2fa, so its not a stretch to imagine if they could defeat your strong 2fa once they may be able to do it again regardless of where you store those secrets.
3 Likes
my fault - wrong topic.
its actually my temporary solution to raivo situation on ios until there’s a solid option.
Yes, but where we disagree here is the definition of “2FA.” Storing your password and TOTP code in your password manager is 1FA. Your password manager is a single factor which grants access to your accounts. You can’t think of TOTP as “2FA” inherently just because it takes a different form than a password.
Thus, my argument is that there is simply no difference between storing TOTP in your password manager, and not using TOTP at all. I’ll break it down: There are really only two main benefits to TOTP 2FA:
- Mitigating the risk of password reuse.
- Acting as a physical second factor, when your codes are stored only on a separate device.
The first benefit is also achieved by password managers already, if you simply use randomized passwords for every service. The second benefit is negated when you store your codes in a password manager app, as you said.
This is the reason I’m only focusing on separate 2FA apps. Storing TOTP codes in your password manager simply provides negligible real-world benefit to the point where it doesn’t really matter whether you do it or not.
Storing TOTP codes in your password manager really only mitigates two risks as far as I can tell:
- Replay attacks, which are prevented by HTTPS.
- MITM attacks, which are prevented by HTTPS.
And in either case, both are wildly unlikely anyways compared to easier attacks like phishing, which TOTP doesn’t protect against in the first place. These two attacks were perhaps more relevant a decade ago when TOTP became popular and Let’s Encrypt didn’t exist, but aren’t super relevant today.
For the sake of completeness I’ll note that storing FIDO2 Passkeys in a password manager does make sense and provides significant advantages over just using a password manager alone, so I’m really only referring to TOTP specifically when I talk about how using your password manager for 2FA doesn’t provide an additional advantage over simply using a password manager in the first place.
Although, even in the case of Passkeys it’s still 1FA, the advantage here is that Passkeys are more secure than both passwords and TOTP in other ways.
1 Like
I have Bitwarden configured to use an email account for it’s 2FA sign in on new devices, but I use Bitwarden for storing both passwords and TOTP 2FA for all my other online accounts.
I do not consider this 1FA protection for my online accounts because Bitwarden is protected with 2FA by an independent third party (in my case email).
In other words, since Bitwarden is protected with 2FA in this way, could it not be said that every online account with passwords and TOTP codes stored within Bitwarden is also protected with 2FA?
Someone would have to hack into my Bitwarden account and my email account to get access to my Bitwarden stored passwords and TOTP keys.
Furthermore, if someone brute-forced one of my online accounts or perhaps copied down a few passwords from my Bitwarden app when I stepped out of the room for a minute leaving my computer unattended, they would still have to contend with the TOTP code generated by Bitwarden when attempting to login to one of my accounts from their personal (unknown) device. This is another example of how storing passwords and TOTP codes in Bitwarden is 2FA, not 1FA.
However, in writing this just now it just dawned on me that if I left someone with my laptop or desktop long enough (actually just a minute or two is all it would take depending on how fast they can type a 25 alpha-numeric password) they could login to one of my accounts on their device (e.g. a phone) by opening my signed-in Bitwarden app to discover the password and generating the TOTP all in one swoop.
I guess I could set Bitwarden vault timeout on my desktop and laptop to a minute, but that could prove to be quite a pain. Or I just have to remember to lock the vault whenever I step out of the room when questionable people are around.
Maybe in the future I will look into Ente, but for now I’m sticking with what I have. I tried Aegis in the past and was highly disappointed when my phone busted and I couldn’t find the keys to unlock the backup file! But Ente looks promising in that it apparently syncs across multiple devices.
This argument doesn’t really work because it would still hold true even if you did not use 2FA for any of your accounts.
The point is that, in a situation like the one you described here, someone could easily gain access to your accounts on the spot (as you described later), since Bitwarden is the one factor of authentication. This would not be the case if, instead, your second factor of authentication was your phone that you brought with you out of the room, for example. However, I do agree with your point that this is sufficient if one is just trying to protect against bypassed passwords.
1Password and KeePassXC user here. Personally, I still store TOTP codes in my PM vaults for autofill on the browser. Based on my threat model, I think separating a Password Manager and 2FA app only has a marginal difference in terms of security. The vault itself will still be protected by 2FA whether it’s from the secret key for 1Password or a Yubikey for KeePassXC. If someone gets access to the vault from a data breach or if the local database was stolen. They would have to brute force the strong password and get the 2FA for the vault itself. They still wouldn’t be able to get the credentials inside. You’re pretty much dropping convenience for a very small unlikely to happen scenario when separating with 2FA app.
I store both my TOTP seeds and Aegis recovery in my vault. The vault still has 2fa. Honestly, I still think it would be easier to bypass my phone password and Aegis password to get to those things then it would be to bypass my Bitwarden Vault 2fa and password.
I am not really sure how this is any different then having both your TOTP and your Vault backed up to Proton Drive. Both are still centrally located on one service. People seem to have no issue with that but get all tripped up by doing the same thing using your vault.
Here I store my totp codes in my online password manager. The password manager is protected by two fido2 physical security key as for it’s second factor. It’s good enough for me.
The autofill of websites password works for username, password and Totp. As it’s easier and less disrupting, it allows me to enable totp on each and every website that uses it, get more security and still have an easy login flow.
Note that the 2FA is for account access and would not add extra protection in a data breach.
Only 1password uses a secret key to additionally encrypt the vault as far as I know.
To not confuse with key files like in KeePassXC. 1Password has a feature called a secret key which works as an additional protection if data is stolen from 1Password employees and not from your machine.
For some threat models. Using a TOTP App makes sense if you’re only going to use it mainly for Cloud-based Password Managers as an additional form of authentication for logins. However if you anticipate that you’re PM service has a high likelihood of being compromised or the encryption wasn’t implemented correctly. Then having TOTP codes separate from the service itself does provide additional security benefit.