{"id":39990,"date":"2023-07-07T14:14:14","date_gmt":"2023-07-07T18:14:14","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=39990"},"modified":"2023-07-11T11:48:09","modified_gmt":"2023-07-11T15:48:09","slug":"is-it-safe-to-store-passwords-and-2fa-codes-together","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2023\/07\/07\/is-it-safe-to-store-passwords-and-2fa-codes-together\/","title":{"rendered":"Is It Safe to Store Passwords and 2FA Codes Together?"},"content":{"rendered":"<p><a href=\"https:\/\/blog.1password.com\/1password-2fa-passwords-codes-together\/\">Megan Barker<\/a>:<\/p>\n<blockquote cite=\"https:\/\/blog.1password.com\/1password-2fa-passwords-codes-together\/\">\n<p>It&rsquo;s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier <em>regardless<\/em> of TOTP location.<\/p><p>But there&rsquo;s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app <em>may<\/em> offer additional protection. If an attacker got ahold of your 1Password login information (<em>and<\/em> your 2FA secret if you&rsquo;ve added that layer of protection to your 1Password account) but <strong>didn&rsquo;t<\/strong> have control of your device, the separation between your passwords and TOTP <em>could<\/em> prove useful.<\/p>\n<p>I hedged with <em>may<\/em> and <em>could<\/em> because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there&rsquo;s no authenticator app or password manager on the market that can safeguard data on a <a href=\"https:\/\/blog.1password.com\/watch-what-you-type-1passwords-defenses-against-keystroke-loggers\/\">compromised device<\/a>.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/05\/08\/passkeys-a-loss-of-user-control\/\">Passkeys: A Loss of User Control?<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/04\/26\/google-authenticator-adds-syncing\/\">Google Authenticator Adds Syncing<\/a><\/li>\n<\/ul>\n\n<p id=\"is-it-safe-to-store-passwords-and-2fa-codes-together-update-2023-07-10\">Update (2023-07-10): See also: <a href=\"https:\/\/atp.fm\/540\">Accidental Tech Podcast<\/a>, <a href=\"https:\/\/ruby.social\/@tisba\/110306752130907633\">Sebastian Cohnen<\/a>.<\/p>\n\n<p id=\"is-it-safe-to-store-passwords-and-2fa-codes-together-update-2023-07-11\">Update (2023-07-11): <a href=\"https:\/\/tidbits.com\/2023\/07\/10\/two-factor-authentication-two-step-verification-and-1password\/\">Adam Engst<\/a>:<\/p>\n<blockquote cite=\"https:\/\/tidbits.com\/2023\/07\/10\/two-factor-authentication-two-step-verification-and-1password\/\">\n<p>I dislike putting all my security eggs in one basket, and having 1Password contain both kinds of secrets&mdash;account passwords and TOTP codes&mdash;has given me some pause. I&rsquo;m pretty confident in my 1Password setup and in 1Password&rsquo;s integrity and security, but the fact remains that if someone were to gain control of my 1Password account, two-factor authentication wouldn&rsquo;t restrict access to my most important accounts.<\/p>\n<p>[&#8230;]<\/p>\n<p>Two-step verification is a significant improvement over plain password-based authentication because it presents an additional hurdle to anyone attempting to log in to your accounts. But as long as that TOTP code is delivered on the same device and in the same pathway&mdash;you unlock 1Password for passwords and TOTPs using the same method&mdash;it&rsquo;s not two-factor authentication. That&rsquo;s the case if the TOTP code comes from 1Password, Authy, or some other authentication app running on the same device you unlock using a password, Touch ID, or Face ID. However, logging in on your Mac and looking up the TOTP code in Authy on your iPhone would be true two-factor authentication.<\/p>\n<p>[&#8230;]<\/p>\n<p>I&rsquo;m not sure I buy Apple&rsquo;s answer&mdash;if someone were to steal my Mac and guess my login password, they could accept two-factor authentication prompts just as in the iPhone passcode theft scenario we wrote about earlier this year[&#8230;] Maybe it&rsquo;s more like 1.5-factor authentication[&#8230;]<\/p>\n<\/blockquote>\n<p>He has an interesting idea that maybe 1Password <em>could<\/em> implement true two-factor authentication since it runs on multiple devices that communicate with their server.<\/p>","protected":false},"excerpt":{"rendered":"<p>Megan Barker: It&rsquo;s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier regardless of TOTP [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2023-07-07T18:14:17Z","apple_news_api_id":"32d4b1f5-b5e5-481b-9a8f-8b98be4513fe","apple_news_api_modified_at":"2023-07-11T15:48:12Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/AMtSx9bXlSBuaj4uYvkUT_g","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[284,31,2185,26,30,32,2223,981,48,2090],"class_list":["post-39990","post","type-post","status-publish","format-standard","hentry","category-technology","tag-1password","tag-ios","tag-ios-16","tag-iosapp","tag-mac","tag-macapp","tag-macos-13-ventura","tag-passwords","tag-security","tag-two-factor-authentication-2fa"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/39990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=39990"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/39990\/revisions"}],"predecessor-version":[{"id":40018,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/39990\/revisions\/40018"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=39990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=39990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=39990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}