If your password is compromised they still don't have access to your OTP, so 2 factor. If your password manager is compromised then they have both, 1 factor.
I'm no math wiz but pretty sure that makes it a 1.5 factor
Right, presumably with a password manager you’re using a totally random string as your password too, coupled with different passwords for each site. so there are a combination of factors that make it still much more secure than just “both factors in one place” since neither factors can easily be guessed.
The main threat vector would be, as you mentioned, compromise of the actual password manager.
As far as I can tell, 1Password’s end to end encrypted architecture makes this less probable.
That would reduce the main risks to our actual devices.
TOTP MFA is crap anyway because it has no passcode and it is so trivial to sync and it’s common for people to do so. So in scenarios where people close to you are a risk, or you’re dealing with other peoples data, it’s pretty weak control. It’s great for preventing spray attacks and mitigating some compromise scenarios.
It’s likely members of your household, friends, coworkers have access to shared devices or shared vaults in 1Password. That makes that type of MFA more like 1.5 factor vs 2 factor.
1Pasword is itself a two factor app. The password is something you know and the secret key is something you have. Definitely counter-intuitive, but like how your operating system can contain both your password and your 2FA app, or your desk can contain your computer and your hardware key.
Whether you want to be one bad front-end UI deployment away from both factors being exposed, fair question...
I had this same issue. Use a shared vault with OTP. Anyone with access to the vault can see the same 2FA code.
As for shared SMS, look into Google Voice. They automatically forward SMS texts to email as an option. I created a "shared" email account and gave my family access to that.
A lot of sites won't allow you to use a Google Voice number for your 2FA. There are services now that will validate if a number is VOIP, and then the site you're on can choose to filter those at the application level.
I did find a way around this, in that I had a real number, added all my 2FA accounts to it, and then ported the number to Google Voice, but this isn't a long term solution. Idk how long Google Voice will stick around, but I have found a couple backup options that are low cost if I need to keep the number long term.
I hope their desktop app is better now, last time i took a look, the whole vault is decrypted in memory and even when it timed out and request user for password, I was still able to inspect memory and retrieve the plaintext passwords
I use 1password OTP for everything that I don't care about that people can't do real damage (YNAB, LinkedIn, etc). But anything important like my email account or bank accounts I keep on my phone using Raivo.
i'm staying on 1password 7 to avoid their subscription fees, and using sync'ed, shared vaults to have access on my devices too (and share vaults with others as necessary). there's some duplication in apple keychain and firefox for convenience.
i use 1password's built-in 2FA (TOTP), but only for a couple accounts as i find it unwieldy generally. i'm also keeping an eye on how passkeys develop over time.
I understand the idea of putting both factors in one place is odd, but I feel it strikes the right balance between the convenience and security.