[alpb]

I can't help but think the author has recommended (1) storing backup keys (presumably in 1Password?) (2) storing OTP key generation QR codes in 1Password, so it can generate OTP codes for you.

Doesn't this defeat the whole purpose of "two"-factor authentication? If your 1Password gets hacked the attacker has both your passcode and one-time password?

You should consider keeping these two separate: If your 1Password unlocks with FaceID, do not make your Authy (or etc.) also unlock with FaceID. Otherwise, you're defeating the purpose of 2FA (something you "know" and something you "have"), I think.

[zeroxfe]

The author was pretty clear about the risks:

> This solution is fine for most people, but this section is about being a bit more paranoid, so I would recommend not using the 1Password integration for your one-time password codes.

> The more extreme option is to manually keep track of the QR code or setup key provided when setting up 2FA for a TOTP authenticator on each account. Backing up these setup codes is a bit controversial and not recommended by the more hardcore security folks as it introduces another avenue by which you could be compromised if not securely stored. If you opt to backup your QR codes, you may want to store them outside of your password manager and in an encrypted manner.

[wonnage]

It's slightly less secure but much more convenient, which I think is worth the trade-off. Just having 2fa on means you don’t have to worry if a website has its passwords compromised, which is probably the biggest threat for most people.

[jen729w]

See my comments elsewhere in this thread. I’d argue that ‘having unique passwords for every site’ is much more important than 2FA when it comes to the consequences of a site’s database being compromised.

For instance, I’ll happily give you my password to ‘My Vodafone’. It’s nXewr7Vq4f)s9>ky. It really is. I don’t give a shit if their database is compromised, it doesn’t affect the rest of my life.

(I haven’t been a customer in about a decade. The login no longer works. You get the point.)

2FA adds nothing to this scenario. I should assume that an attacker who has compromised the site’s database has also compromised their OTP systems.

[tialaramex]

This is true for some 2FA methods but you can literally publish all the data for WebAuthn and it won't make any difference to the security for your users or your site. Same reason seeing the certificate for Hacker News doesn't get you any closer to successfully impersonating the site, public key cryptography.

Bad guys who steal my WebAuthn credentials for foo.example don't learn how to sign in as me on any site at all, even on foo.example. If they break into another site. bar.example and steal all their WebAuthn credentials too, they can't even correlate them to figure out who has sign-ins on both sites.

[vbezhenar]

Some websites insist on using 2FA, even if you don't want it.

[regecks]

Further down in the same article:

>but you don't really want to have your password manager also store OTPs