Hacker News new | ask | show | jobs
by reconbot 2734 days ago
I was having an argument over 1password's 2fa support not being a second factor. (I don't think it is.) However, it is so much safer than not using 2fa. In similar terms U2F is amazing and keeps you from being phished and has a great challenge/response protocol, if that was implemented in 1password (or browsers themselves thank you!) we'd all be a lot safer than not using it at all.

In 2018 I'm using an app to take screenshots of QR codes to generate one time codes. It's a sad state of the art, we need to do better.
2 comments
aasasd 2734 days ago
Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.

A different question, though, is whether a password keeper web service could leak passwords like any other service.

link
chimeracoder 2734 days ago
> Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.

2FA is meant to protect primarily against phishing. It happens to protect against some other attacks as well, but phishing is the primary motivation.

That's why physical U2F devices are considered the gold standard of authentication today - it's possible to phish a TOTP code, but it's very difficult to phish a U2F signature, and impossible to do so through a scalable, automated attack.

link
seppin 2734 days ago
> (I don't think it is.)

If your master password is someone exposed, then nothing really protects you.

link
matwood 2734 days ago
This is not true. 1Password could have a breach which exposes your master password. A hacker would then have access to your passwords, but not your 2fa. Even if you do not keep these items physically separated like a hardware token, it makes complete sense to have them be in different applications. For example, passwords in 1Password and tokens stored in Authy.
link
dev_dull 2734 days ago
Wouldn’t an 2fa device (such as an otp token) actually protect you in this case? They have your password but not your otp generator.
link
seppin 2734 days ago
Yes but to have your MP they'd most likely have rooted your device, they could surely do the same to your mobile.

If they could do one, they can do the other. Just a matter of efforts I guess

link