[isclever]

This boggles me when I see this option in any password manager (and I think every single one has this 'option').

Why do password managers let people store TOTP next to the password, this completely invalidates the 2FA of TOTP if your password manager get broken into.

[Xavdidtheshadow]

> this completely invalidates the 2FA of TOTP if your password manager get broken into

I think that's the big "if". If you assume the password manager is secure (which something clearly wasn't in this case, but that seems like an outlier), TOTP secret in the password manager still secures the account.

Is such a setup as protective as a separate storage method? No, but it's leagues more convenient. A cloud-based PW manager also solves the problem of a lost/broken/new phone causing you to lose all of your 2FA setups. Some 2FA apps do as well (Authy, iirc), but trust me when I say people lose 2FA codes _all the time_. And then 2FA needs to be disabled by support, which is its own can of worms.

The best security measures are the ones people actually use. If not having to use a separate app is the convenience people need, then I think it's totally worth it.

[MAGZine]

You know what's also convenient? 1FA.

Which, incidentally, when you store you TOTP secrets with your passwords, is what you have.

[amarshall]

I mean, if the password manager’s store is compromised, then sure, okay. But if only the application password is compromised then it’s still 2FA since the attacker cannot authenticate with just the password.

[MAGZine]

I see what you're saying, but I disagree.

The F in 2FA is factor. Satisfying one login request from one factor (password vault) is 1FA. This is why the second factor is normally something that isn't your password vault (historically your head, now a piece of software): a hardware key, a recovery code, etc.

A slightly more generous interpretation is 1.49A (rounds down), because someone with a reused username/password combination. But if you're using a vault with a sophisticated factor, the venn diagram of "people who have your password," and "people who also have your master password," are pretty tight, except for cases where the provide has been breached (all bets are off).

Don't dispose of the second factor for convenience.

[amarshall]

And the A in 2FA is authentication, not storage. The password vault is not a factor because it is not what is provided for authentication, the individual password is the factor. The fact that the vault being compromised reveals both factors does not make it no longer 2FA.

Colocating the storage factors definitely makes certain attack vectors possible that aren’t otherwise possible, but it’s still 2FA. Are hardware keys best? Likely, but still many probably have their password vault and TOTP application and storage on the same device (e.g. both Bitwarden and Authy on their mobile device) which is a middle-ground convenience vs. security between TOTP in the password vault and hardware keys—but I doubt many would say that it’s not 2FA.

[artful-hacker]

Because I already use MFA to access my password manager in the first place, and don't want to deal with managing backups for each flavor of MFA app that is pushed on me.

[nightpool]

How do you manage MFA for encryption-at-rest? None of the common TOTP systems do this. LastPass and 1Pass have built-in "local encryption keys", but they're stored in the same place as the store and only protected by your password. I think theoretically you could set this up with Keepass using a Composite Master Key (combining a password-protected key and a certificate-protected key, storing the certificate separately, ideally in an HKM), but I don't know anyone who does this.

[Marsymars]

> Why do password managers let people store TOTP next to the password

One absolutely invaluable use-case is that it lets multiple employees share access to an account with 2FA enabled.

Many systems don’t have appropriate role/permission systems to allow for 2FA otherwise.

[mdavidn]

The alternative is to navigate 100 separate token reset processes if you ever lose your phone and all of its TOTP tokens.

[nucleardog]

Or just keep them somewhere that isn’t directly beside the password?

I have my password in a password database, and my TOTP tokens on my phone and a Yubikey.

I have a second “break glass in case of emergency” password database that contains TOTP secrets for all my most essential accounts and a backup of the key loaded on my Yubikey.