Friday, July 7, 2023

Is It Safe to Store Passwords and 2FA Codes Together?

Megan Barker:

It’s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier regardless of TOTP location.

But there’s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app may offer additional protection. If an attacker got ahold of your 1Password login information (and your 2FA secret if you’ve added that layer of protection to your 1Password account) but didn’t have control of your device, the separation between your passwords and TOTP could prove useful.

I hedged with may and could because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there’s no authenticator app or password manager on the market that can safeguard data on a compromised device.


Update (2023-07-10): See also: Accidental Tech Podcast, Sebastian Cohnen.

Update (2023-07-11): Adam Engst:

I dislike putting all my security eggs in one basket, and having 1Password contain both kinds of secrets—account passwords and TOTP codes—has given me some pause. I’m pretty confident in my 1Password setup and in 1Password’s integrity and security, but the fact remains that if someone were to gain control of my 1Password account, two-factor authentication wouldn’t restrict access to my most important accounts.


Two-step verification is a significant improvement over plain password-based authentication because it presents an additional hurdle to anyone attempting to log in to your accounts. But as long as that TOTP code is delivered on the same device and in the same pathway—you unlock 1Password for passwords and TOTPs using the same method—it’s not two-factor authentication. That’s the case if the TOTP code comes from 1Password, Authy, or some other authentication app running on the same device you unlock using a password, Touch ID, or Face ID. However, logging in on your Mac and looking up the TOTP code in Authy on your iPhone would be true two-factor authentication.


I’m not sure I buy Apple’s answer—if someone were to steal my Mac and guess my login password, they could accept two-factor authentication prompts just as in the iPhone passcode theft scenario we wrote about earlier this year[…] Maybe it’s more like 1.5-factor authentication[…]

He has an interesting idea that maybe 1Password could implement true two-factor authentication since it runs on multiple devices that communicate with their server.

7 Comments RSS · Twitter · Mastodon

I often wonder if the "one point of failure" problem with a password manager is too much of a risk.

Re: single point of failure; as with anything, it’s about trade-offs. Yes, if someone gains access to my 1Password master password, they’ve got nearly unfettered access to my accounts (including in many cases 2FA codes/keys). But if I weren’t using 1Password, I wouldn’t be using secure passwords or 2FA in the first place. The convenience of a password manager enabling good habits in general cannot be overstated.

Now, if I were a high value target or something, that might change the math. Nothing is one-size-fits-all.

"Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge"

I don't think that's a reasonable point. The mechanism with which an attacker would gain access to your password manager's contents would likely be a security breach with your password manager (something similar to what happened with LastPass, but more serious).

So the difference between storing 2FA data elsewhere, and storing it in your password manager, is the difference between all of your most sensitive accounts suddenly being available to everybody on the Internet, and them remaining protected. It's not reasonable to just assume that because there was a security breach with your password manager, your 2FA data, which is stored somewhere else, would suddenly also become available.

Since it's trivially easy to just use another app to store your 2FA data, there's really no reason at all to store them with your passwords.

@Plume I tend to agree. I wanted to see what their best case was, but common sense says to enable 2FA but to use two password managers. And, of course, don’t put the password for one into the other. Maybe that’s OK with iCloud Keychain because you need a device to access it, too?

That said, I’m a bit skeptical about the benefits of 2FA. On more than one occasion, including with a bank, I called a support line because of a technical issue, and they offered to just turn off 2FA so that I could log in. One time they did it after asking for some very basic personal information. Another time I think they sent an e-mail to verify.

"I called a support line because of a technical issue, and they offered to just turn off 2FA so that I could log in."

Yeah, I think that's a serious problem. Most people don't keep track of their login credentials in a reliable way, so almost all of these systems are designed to have human-controlled workarounds, which makes them susceptible to social engineering.

I wish there was some kind of checkbox I could check on these systems where I just commit to take responsibility for my login credentials. I'm never going to lose track of my 2FA credentials, I'm never going to forget my password, I'll never request a password reset email, I'll never call and ask to reset my login, just completely disable all of these features on my account.

Having said that, I don't think that just because the social engineering route exists we should not make our accounts as technically secure as we can. Because for most people, the threat isn't a targeted attack where attackers actually make an effort to get into your account. Instead, it's being caught up in some kind of mass data breach, and attackers just logging into as many accounts as possible in the shortest time possible to make as much money as possible. In that context, even a low hurdle will just make them move on to the next account, which won't have any hurdles at all.

Old Unix Geek

@Plume: you might forget your password if you have an accident or illness of some kind. There needs to be a better solution.

I have contingencies for that. I have distributed my login information among my family and trusted friends. In case of an emergency, if at least half of them come together, they can unlock all of my data.

Leave a Comment