Recently, I’ve been thinking about TOTP and how to use it. I’d like to start a discussion about how useful it actually is. Forgive me for the wall of text, but I’ll include a TL;DR at the bottom.
1. I don’t think TOTP is really 2FA at all.
The three factors are:
- something you know (e.g. password)
- something you have (e.g. FIDO2 security key)
- something you are (e.g. biometrics)
I would argue that if a secret can be copied, then it isn’t “something you have” because proving you have the secret doesn’t prove you physically possess some device/item. Under this definition, a security key implementing FIDO CTAP1/U2F or FIDO CTAP2 counts as “something you have”, but a password written down on paper doesn’t (since anybody could steal the password without stealing the paper).
Even if a TOTP secret is received without being intercepted and stored only on a security key, it does not fully count as “something you have” because the TOTP secret is shared by both the security key and the authenticating server. Therefore, proving you have the TOTP secret doesn’t prove you have the security key.
And although the TOTP secret is never transmitted during authentication, that only really protects you against MITM attacks (e.g. replay attacks) and phishing attacks, which are already mitigated by HTTPS and URI matching, respectively. Sure, TOTP could provide a small amount of additional protection against phishing, but it’s not much if you already take other precautions.
So TOTP is basically having a second password, not a second factor.
Note: I don’t include IRL surveillance as part of my threat model, but as long as you are careful about where you type your passwords, even that threat is significantly reduced.
2. Consequently, TOTP only meaningfully improves security if stored on a separate device.
Let’s say you store your passwords and TOTP secrets in separate vaults synced via different providers.
It would certainly be more difficult for an attacker to breach both providers (and the attacker wouldn’t necessarily know which pair of providers you use). However, I think that any provider trusted with your passwords should be trusted to notify you quickly enough in the event of a breach that you’d have time to change all your passwords before your vault could be cracked (as long as you use a good master password).
Therefore, the main concern I have is that one of my devices could be compromised. In that case, even having two vaults with separate and strong master passwords doesn’t provide any benefit. If the attacker has unencrypted access to one vault, then it stands to reason they have unencrypted access to both. Furthermore, doubling the cracking time is equivalent to only ONE additional bit of entropy, so adding a second vault for the attacker to crack doesn’t help.
TL;DR: TOTP isn’t really 2FA and storing your password and TOTP vaults on completely separate devices is required to see significant security benefits. But even then, it’s not as much of an improvement as using true 2FA.
Furthermore, if you do choose to separate your passwords and TOTP secrets in the name of security, then you should never store passkeys within your password manager, since that is just as risky.
And that’s not even getting into the fact that there’s not much 2FA support for encryption. LUKS supports the FIDO HMAC Secret Extension, but a Bitwarden vault only has 2FA for authentication (i.e. getting a copy of your vault from Bitwarden’s servers), not for encryption. If an attacker has your vault, they only need to crack your master password and no longer need to worry about your 2FA.