[StavrosK]

I 100% agree with you, but I recently started putting my TOTP tokens in my password manager, and it's so much more convenient to just have the token pasted in while you log in, instead of having to find the phone, turn it on, launch the 2FA app, find the code from a huge list and type it in, that I'm willing to take the security hit.

We need WebAuthn yesterday.

[feistypharit]

Agreed, I hesitated for years to not put 2FA in 1password. But, after a few phone upgrades and resetting each and every account, it's worth it. It can take nearly 10 minutes per account to reset 2FA. Spending a few hours every few years doing that was just too much.

[jorvi]

Putting your 2FA in 1Password sort of reduces your security back to 1 compromise (breach 1Password and you're screwed). I would recommend putting your TOTPs in Authy. Easy to restore and even in multi-device mode waaaay safer than storing all your TOTP next to your passwords.

[Spivak]

While this is true I think if anyone had control of my password database they could remove the 2FA from most of my accounts without much issue.

Also where is the password to your Authy account?

And where are your 2FA backup codes?

[jorvi]

You just give Authy a relatively simple password, and don't save it anywhere. If you don't have Authy in multi-device mode it will be impossible to activate another session, and if you do activate another session while in multi-device mode Authy will check if any other devices are active and if so will ping those devices with a verification request. It checks for an active device so that if you have only one device active and do a reinstall you can still activate. I have my 2FA backup codes in Dropbox, which itself is behind 2FA.

In essence someone has to both get my 1Password password, 1Password secret key and either compromise my phone (for Authy) or my phone number (to recover 2FA backup codes via Dropbox SMS recovery), or my computer (for direct Dropbox access). But very few organisations have that amount of capability and I have nothing stored in my accounts that is worth that capability. If I had, I would store it behind GPG and a password that is only in my mind.

Also, to lose access I'd need to lose my 1Password secret key or forget Authy password + get logged out of all my Dropbox devices simultaneously. The chances of that are rather slim.

[rthille]

I take the secret from the initial signup (2d-barcode/hex string) and encrypt it with my public keys (private keys are on 2 different Yubikeys) and then distribute them to 3 different computers. Overkill, especially given that encrypted local iPhone backups store the GoogleAuthenticator secrets, but it means I won't lose my 2FA secrets if I lose my phone.