[jchw]

The point is that one time passwords are only valid once. If your password is stolen, it's stolen. If a TOTP code is stolen, it's probably not even useful because it's already invalid when they log in (including for time based, in well-designed software.)

There's obviously a class of attack that hardware tokens protect against (malware) that password managers can't entirely (unless your operating system has good sandboxing, like Chrome OS for example.) But it really does protect against phishing to a degree, as well as certain attacks (key loggers or malicious code running on a login page on the browser)

Hardware tokens are the winning approach, but even when you put TOTP into a password manager it is far from useless.

[betterunix2]

It only protects against the most naive phishing attacks, where the attacker just accumulates passwords for use at some later date. More sophisticated phishing attacks will just copy the OTP in real time:

https://www.schneier.com/blog/archives/2015/08/iranian_phish...

U2F defends against that sort of phishing as well.

[jchw]

Sure, but most people aren't targeted by advanced adversaries, so using your password manager for TOTP can be a lightweight way to make most hackers completely disinterested in attacking your account. U2F requires an additional investment. Depending on the type of physical security you want, it's normally a good idea to invest in at least n+1 U2F keys, so you have a spare key you can keep with you and permanent keys in all of your devices. (Obviously, the latter means that your U2F can be stolen easier, but the reality is that this is not nearly as big of a deal as stealing a password, since you can unprovision a U2F key immediately upon realizing that it's gone.)

[SpaethCo]

Proxying the authentication isn't really an "advanced" attack. In a 19 minute video[0] the author of CredSniper[1] gives a complete walk-through for setting up his proof of concept tool, including building the login pages and registering for LetsEncrypt SSL certs. The hardest part still remains choosing the domain name and getting people to click the link, and still people find ways to overcome those hurdles.

As TOTP use has increased, the basic phishing toolkit has evolved to match. Attackers want accounts, not passwords, so they're just adjusting to get working sessions. The passwords were only ever just a means to an end.

[0] https://www.youtube.com/watch?v=TeSt9nEpWTs [1] https://github.com/ustayready/CredSniper

[jchw]

That attack doesn't work when using 1password. 1password refuses to fill on the wrong domain.