If I use a separate, rarely used phone for TOTP for websites on my computer, is it more secure than using Windows Hello passkeys for websites? If my computer was compromised by malware, someone could keylog my Windows PIN and use remote control of my computer to falsify/bypass the passkey via the PIN. This would not work on their computer, but since they have remote control of my computer, they can sign in on MY computer. Is Windows Hello still more secure than TOTP?
Can you even have TOTP as 2FA for a Windows computer? Isn’t the disk just encrypted with only a password?
Sorry, your question is a little bit hard to understand?
Do you ask, if TOTP with the App on your phone or using Passkeys with Microsoft’s passkey storage is more secure?
To me, “Windows Hello“ is a method to authenticate yourself on Windows and it doesn’t have anything to do with 2FA. Assuming I understood the question correctly, the answer is: It depends.
I personally wouldn’t trust Microsoft with anything security-related, and especially not to be the keeper of my passwords or Passkeys, but that is actually besides the point.
Passkeys are more secure because, they can not be phished; however, if your PC is compromised, they can be stolen.
Having to control two devices for authentication reduces risk, but you are using less hardened technology with TOTP.
So what do I recommend?
- Get a solid platform-independent password manager with a good track record, like Bitwarden.
- Get two hardware FIDO2 keys for securing your most valuable accounts, such as your Microsoft, Google, Apple account, and of course, your password manager account.
- Use TOTP or Passkeys with your password manager as the keeper of secrets, depending on availability.
In theory, you are a little bit less secure if you do TOTP with a separate device, but in practice, a well-configured auto-fill function provided by a good password manager makes up for that, because it act as a soft form of phishing protection. If you always get a convenient auto-fill button on the genuine website, but it’s missing on the phishing website, you have a reason to pause instead of falling for the trick.
Keep one FIDO2 hardware key and a note with your master password in a safe and you can make sure your digital life can be handled by your loved ones in the event of your death.
Windows Hello supports device-bound passkeys so you can use your Windows PIN or biometrics as 2FA/logins for websites. If I understand correctly, Microsoft does not have access to them, and you are unable to store them on the cloud even if you want to.
Also, isn’t using a password manager to store passkeys functionally the same as using password managers for TOTP? One of the very first articles in Privacy Guides warns against that:
”Don’t place your passwords and TOTP tokens inside the same password manager
When using TOTP codes as multifactor authentication, the best security practice is to keep your TOTP codes in a separate app.
Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device.”
Getting a hardware key seems like maybe overkill to me, I’m not sure. What do you think?
No, you misunderstand. Windows Hello supports device-bound passkeys so you can use your Windows PIN or biometrics as 2FA/logins for websites.
I know this advice and do not agree. I need my password manager on all my devices and I need TOTP on all of my devices. The convenience benefit of having your TOTP key in your password manager is huge.
Yes, someone who gets access to your device could steal your password vault. But the same person could also steal your session cookies. If you have TOTP on another device, each login requires you to get the device, open the app, type the code. So you are much more likely to stay logged in.
Besides a potential loss there is always actual loss to consider. All the time you spend on a login process is lost. That can add up fast.
Working with a lot of people showed me, nobody likes the work to build and maintain a solid security posture. So I concentrate on making the daily operation as convenient and efficient as possible. If living with a password manager (meaning long, unique, random passwords and 2FA for every account) is more convenient in daily operation than having the same week password for every account, the setup time is easily worth it and the chance of somebody undermining their own security posture for convenience short cuts is much lower.
While I agree with @randomperson , to more answer OP’s question, and this is all my own opinion:
Yes. a separate TOTP device can be more resistant than Windows Hello passkeys, especially if your threat model revolves more around endpoint compromise rather than fishing (which your post seems to imply?), but really only that. Passkeys are still superior against phishing, credential theft, fake login pages, replay attacks, … So the answer really depends on what you’re optimizing for.
Personally, I would consider hardware-backed passkeys on a dedicated authenticator (like a security key) the best middle ground, since they retain phishing resistance while also moving the credential off the potentially compromised PC entirely.
It takes me… 10 seconds to grab the device that has my MFA app, get the code, and type it in and finish the log in process. Maybe if i leave that device in another room or something it takes a bit longer to get in, but still. We’re not really talking any real loss of time here.
If you do that every day for 60 years, you lose 2 days of your life. 2 days isn’t actually THAT much in the grand scheme of things, and are you really going to use 2FA every day for 60 years? Besides, there’s always friction involved in daily tasks, it’s just part of life. Trying to get rid of every last bit of friction is probably crazy.
I just want decent personal online security for an average person who owns a bit of money and crypto.
I don’t follow the advice myself. TOTP is so insecure anyway I don’t feel the extra inconvenience and potential for locking yourself out of your accounts is honestly worth it.
by insecure I mean TOTP can very easily be phished, and the only thing protecting you is a 30 second timer. Phishing is very automated these days, so attackers will be able to put the code in before it expires.
If it works for you and you don’t feel inconvenienced, that’s great.
I still wouldn’t recommend it by default, because there are many reasons or situations it might not work:
- Some people have only one device.
- Some people have to deal with social media addiction and have to remove their phone from their immediate work space.
- Some people are clumsy and destroy their phones.
If someone who did not deeply care for privacy and security follows my advice, I don’t want them to regret it. As soon as some stupid thing happens and they are not able to operate anymore because of “security measures” people get very willing to undermine all security.
Nobody wants an operating system you can break in without a password, until they change the password and forget it immediately.
Also, I don’t believe you should plan for wanting to be fine while your device is compromised. That’s like planning for how to keep sleeping in your house while it’s on fire. A breach of your device must be contained as much as possible (e.g. sand boxing), detected as soon as possible and dealt with immediately after detection. Of course all measures to prevent a breach must be taken in the first place (timely, automatic security updates, clean software supply chain, …). Avoiding a breach is much better than dealing with it.
maybe ive just been in my bubble for so long that I forgot that there’s people who are completely inept to this kind of thing… I see your point. At this point its just second nature, hardly even a hassle for me.
I don’t follow the advice myself. TOTP is so insecure anyway I don’t feel the extra inconvenience and potential for locking yourself out of your accounts is honestly worth it.
by insecure I mean TOTP can very easily be phished, and the only thing protecting you is a 30 second timer. Phishing is very automated these days, so attackers will be able to put the code in before it expires.
I’ve been trying to separate that same theoretical risk from the realistic one. Live phishing is possible, but if someone is careful, keeps logins bookmarked, and pays attention before signing in, have tilfoil about man in the middle, it seems like an astronomical low probability scenario.
The bigger concern feels like session hijacking. At that point, nothing matters anymore anyway. Which seems like the more dangerous threat for someone with strong habits. I’m sure some will disagree, but if you’re extremely cautious, I don’t find this to be that big of an issue.