Hacker News new | ask | show | jobs
by symlinkk 1298 days ago
> if you're satisfied with first and second factor living in the same spot

It’s no longer “2FA” then.
2 comments
robbintt 1298 days ago
It is still 2 factor, breaching the password manager is a corner case that you can decide to cover or not. It seems like for critical accounts you should NOT. For derived accounts, it should be better than just a password.
link
lxgr 1298 days ago
Only very marginally so. Or what would you say storing a (unique, long) password next to a TOTP hash actually achieves?
link
sceutre 1298 days ago
Well the totp (even in your passwd manager) defends against phishing I'd thought vs password alone.
link
lxgr 1298 days ago
For a "service based" password manager, sure. (It can prevent the service from ever handing over your encrypted database to an attacker.)

In a local password manager, it doesn't work like that. A challenge-response mechanism can help there, but the cost/benefit analysis looks pretty different there, IMO.

link
neurostimulant 1297 days ago
Eh, it's still a lot better than sms 2fa.
link